IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« User Added as Owner for Azure Application Azure Kubernetes Rolebindings Created »

› ›

User Added as Owner for Azure Service Principal

edit

User Added as Owner for Azure Service Principal

edit

Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.

Rule type: query

Rule indices:

filebeat-*
logs-azure*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Configuration Audit

Version: 8

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« User Added as Owner for Azure Application Azure Kubernetes Rolebindings Created »