From 6f4c6d70312c322ad920158d34769f714d273ed1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9gory=20Wychowaniec?= Date: Wed, 20 Nov 2024 20:43:21 +0100 Subject: [PATCH] Merge PR #5054 from @gregorywychowaniec-zt - Update `App Assigned To Azure RBAC/Microsoft Entra Role` update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- rules/cloud/azure/audit_logs/azure_app_role_added.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml index acfa45c0fd6..a0d240787e3 100644 --- a/rules/cloud/azure/audit_logs/azure_app_role_added.yml +++ b/rules/cloud/azure/audit_logs/azure_app_role_added.yml @@ -1,4 +1,4 @@ -title: App Role Added +title: App Assigned To Azure RBAC/Microsoft Entra Role id: b04934b2-0a68-4845-8a19-bdfed3a68a7a status: test description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022-07-19 +modified: 2024-11-04 tags: - attack.persistence - attack.privilege-escalation @@ -15,6 +16,7 @@ logsource: service: auditlogs detection: selection: + targetResources.type: 'Service Principal' properties.message: - Add member to role - Add eligible member to role