Detectionhightest

Delegated Permissions Granted For All Users

Detects when highly privileged delegated permissions are granted on behalf of all users

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bailey Bercik, Mark MorowczynskiCreated Thu Jul 28a6355fbe-f36f-45d8-8efc-ab42465cbc52cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Add delegated permission grant
    condition: selection

False Positives

When the permission is legitimately needed for the app

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

a6355fbe-f36f-45d8-8efc-ab42465cbc52

Status

test

Level

high

Type

Detection

Created

Thu Jul 28

Author

Path

rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml

Raw Tags

attack.credential-accessattack.t1528