App Role Added
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Sigma rule (View on GitHub)
1title: App Role Added
2id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
3status: test
4description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
8date: 2022-07-19
9tags:
10 - attack.persistence
11 - attack.privilege-escalation
12 - attack.t1098.003
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 properties.message:
19 - Add member to role
20 - Add eligible member to role
21 - Add scoped member to role
22 condition: selection
23falsepositives:
24 - When the permission is legitimately needed for the app
25level: medium
References
Related rules
- App Granted Privileged Delegated Or App Permissions
- Google Workspace Application Access Level Modified
- User Added to an Administrator's Azure AD Role
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS