App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Sigma rule (View on GitHub)

 1title: App Granted Privileged Delegated Or App Permissions
 2id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
 3related:
 4    - id: ba2a7c80-027b-460f-92e2-57d113897dbc
 5      type: obsolete
 6status: test
 7description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
 8references:
 9    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
10author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
11date: 2022-07-28
12modified: 2023-03-29
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1098.003
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Add app role assignment to service principal
23    condition: selection
24falsepositives:
25    - When the permission is legitimately needed for the app
26level: high

References

Related rules

to-top