App Granted Microsoft Permissions

Oct 17, 2023 · attack.credential_access attack.t1528 ·

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Sigma rule (View on GitHub)

 1title: App Granted Microsoft Permissions
 2id: c1d147ae-a951-48e5-8b41-dcd0170c7213
 3status: test
 4description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/10
 9tags:
10    - attack.credential_access
11    - attack.t1528
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Add delegated permission grant
19            - Add app role assignment to service principal
20    condition: selection
21falsepositives:
22    - When the permission is legitimately needed for the app
23level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

App Granted Microsoft Permissions

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules