App Assigned To Azure RBAC/Microsoft Entra Role

Nov 20, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Sigma rule (View on GitHub)

 1title: App Assigned To Azure RBAC/Microsoft Entra Role
 2id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
 3status: test
 4description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022-07-19
 9modified: 2024-11-04
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1098.003
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        targetResources.type: 'Service Principal'
20        properties.message:
21            - Add member to role
22            - Add eligible member to role
23            - Add scoped member to role
24    condition: selection
25falsepositives:
26    - When the permission is legitimately needed for the app
27level: medium

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

App Assigned To Azure RBAC/Microsoft Entra Role

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules