<  Back to rules search

Azure New Owner added to Azure Active Directory application

azure

Classification:

attack

Tactic:

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism.

Strategy

Monitor Azure Active Directory logs for @evt.name: "Add owner to application" has an @evt.outcome of success.

Triage and response

  1. Review evidence of anomalous activity for the user being added as an owner (@properties.targetResources) for the Active Directory application.
  2. Determine if there is a legitimate reason for the user being added to the application.