LoFP LoFP / when credentials are added/removed as part of the normal working hours/workflows

Techniques

Sample rules

Added Credentials to Existing Application

Description

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Detection logic

condition: selection
selection:
  properties.message:
  - "Update application \u2013 Certificates and secrets management"
  - Update Service principal/Update Application