App Role Added

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Sigma rule (View on GitHub)

 1title: App Role Added
 2id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
 3status: test
 4description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
 7author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 8date: 2022/07/19
 9tags:
10    - attack.persistence
11    - attack.privilege_escalation
12    - attack.t1098.003
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message:
19            - Add member to role
20            - Add eligible member to role
21            - Add scoped member to role
22    condition: selection
23falsepositives:
24    - When the permission is legitimately needed for the app
25level: medium

References

Related rules

to-top