Detectionmediumtest

App Assigned To Azure RBAC/Microsoft Entra Role

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bailey Bercik, Mark MorowczynskiCreated Tue Jul 19Updated Mon Nov 04b04934b2-0a68-4845-8a19-bdfed3a68a7acloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        targetResources.type: 'Service Principal'
        properties.message:
            - Add member to role
            - Add eligible member to role
            - Add scoped member to role
    condition: selection

False Positives

When the permission is legitimately needed for the app

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1098.003 · Additional Cloud Roles

Rule Metadata

Rule ID

b04934b2-0a68-4845-8a19-bdfed3a68a7a

Status

test

Level

medium

Type

Detection

Created

Tue Jul 19

Modified

Mon Nov 04

Author

Bailey Bercik, Mark Morowczynski

Path

rules/cloud/azure/audit_logs/azure_app_role_added.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1098.003

View on GitHub