Techniques
Sample rules
Added Credentials to Existing Application
- source: sigma
- technicques:
- t1098
- t1098.001
Description
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Detection logic
condition: selection
selection:
properties.message:
- "Update application \u2013 Certificates and secrets management"
- Update Service principal/Update Application