Detectionhightest

App Granted Privileged Delegated Or App Permissions

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bailey Bercik, Mark MorowczynskiCreated Thu Jul 28Updated Wed Mar 295aecf3d5-f8a0-48e7-99be-3a759df7358fcloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Add app role assignment to service principal
    condition: selection

False Positives

When the permission is legitimately needed for the app

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

Similar

ba2a7c80-027b-460f-92e2-57d113897dbc

Rule not found

Rule Metadata

Rule ID

5aecf3d5-f8a0-48e7-99be-3a759df7358f

Status

test

Level

high

Type

Detection

Created

Thu Jul 28

Modified

Wed Mar 29

Author

Path

rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1098.003