LoFP / application credential added from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Application Credential Modified

• source: sigma
• technicques:

Description

Identifies when a application credential is modified.

Detection logic

condition: selection
selection:
  properties.message: Update application - Certificates and secrets management