Detectionhightest

App Granted Microsoft Permissions

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bailey Bercik, Mark MorowczynskiCreated Sun Jul 10c1d147ae-a951-48e5-8b41-dcd0170c7213cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message:
            - Add delegated permission grant
            - Add app role assignment to service principal
    condition: selection

False Positives

When the permission is legitimately needed for the app

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1528 · Steal Application Access Token

Rule Metadata

Rule ID

c1d147ae-a951-48e5-8b41-dcd0170c7213

Status

test

Level

high

Type

Detection

Created

Sun Jul 10

Author

Bailey Bercik, Mark Morowczynski

Path

rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml

Raw Tags

attack.credential-accessattack.t1528

View on GitHub