Rules Contributing to Microsoft Entra Application Permission Changes Alert
The following rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
App Granted Privileged Delegated or App Permissions |
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions More details
Rule IDQuery{'selection': {'properties_message': 'Add app role assignment to service principal'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,5aecf3d5-f8a0-48e7-99be-3a759df7358f Author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
App Role Added |
Detects when an app is assigned Microsoft Entra roles, such as global administrator, or Microsoft Entra RBAC roles, such as subscription owner. More details
Rule IDQuery{'selection': {'properties_message': ['Add member to role', 'Add eligible member to role', 'Add scoped member to role']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,b04934b2-0a68-4845-8a19-bdfed3a68a7a Author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|