App Role Added

Oct 28, 2023 · attack.persistence attack.privilege_escalation attack.t1098.003 ·

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Sigma rule (View on GitHub)

 1title: App Role Added
 2id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
 3status: test
 4description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/19
 9tags:
10    - attack.persistence
11    - attack.privilege_escalation
12    - attack.t1098.003
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message:
19            - Add member to role
20            - Add eligible member to role
21            - Add scoped member to role
22    condition: selection
23falsepositives:
24    - When the permission is legitimately needed for the app
25level: medium

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

App Role Added

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules