Rules Contributing to Microsoft Entra Application Configuration Changes Alert
The following rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Application AppID Uri Configuration Changes |
Detects when a configuration change is made to an application's AppID URI. More details
Rule IDQuery{'selection': {'properties_message': ['Update Application', 'Update Service principal']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,1b45b0d1-773f-4f23-aedc-814b759563b1 Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Tactics, Techniques, and ProceduresCREDENTIAL_ACCESS, PERSISTENCE, T1078.004, T1552 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Added Credentials to Existing Application |
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. More details
Rule IDQuery{'selection': {'properties_message': ['Update Application-Certificates and secrets management', 'Update Service principal/Update Application']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,cbb67ecc-fb70-4467-9350-c910bdf7c628 Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Added Owner to Application |
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. More details
Rule IDQuery{'selection': {'properties_message': 'Add owner to application'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,74298991-9fc4-460e-a92e-511aa60baec1 Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Azure Application Credential Modified |
Identifies when an application credential is modified. More details
Rule IDQuery{'selection': {'properties_message': 'Update application - Certificates and secrets management'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,cdeef967-f9a1-4375-90ee-6978c5f23974 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|