LoFP / owner removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Owner Removed From Application or Service Principal

• source: sigma
• technicques:

Description

Identifies when a owner is was removed from a application or service principal in Azure.

Detection logic

condition: selection
selection:
  properties.message:
  - Remove owner from service principal
  - Remove owner from application