Detectionmediumtest

Added Owner To Application

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Bailey BercikCreated Thu Jun 0274298991-9fc4-460e-a92e-511aa60baec1cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Add owner to application
    condition: selection

False Positives

When a new application owner is added by an administrator

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1552 · Unsecured Credentials

Rule Metadata

Rule ID

74298991-9fc4-460e-a92e-511aa60baec1

Status

test

Level

medium

Type

Detection

Created

Thu Jun 02

Author

Mark Morowczynski, Bailey Bercik

Path

rules/cloud/azure/audit_logs/azure_app_owner_added.yml

Raw Tags

attack.t1552attack.credential-access

View on GitHub