Techniques
Sample rules
App Granted Microsoft Permissions
- source: sigma
- technicques:
- t1528
Description
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Detection logic
condition: selection
selection:
properties.message:
- Add delegated permission grant
- Add app role assignment to service principal
App Assigned To Azure RBAC/Microsoft Entra Role
- source: sigma
- technicques:
- t1098
- t1098.003
Description
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Detection logic
condition: selection
selection:
properties.message:
- Add member to role
- Add eligible member to role
- Add scoped member to role
targetResources.type: Service Principal
Delegated Permissions Granted For All Users
- source: sigma
- technicques:
- t1528
Description
Detects when highly privileged delegated permissions are granted on behalf of all users
Detection logic
condition: selection
selection:
properties.message: Add delegated permission grant
App Granted Privileged Delegated Or App Permissions
- source: sigma
- technicques:
- t1098
- t1098.003
Description
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Detection logic
condition: selection
selection:
properties.message: Add app role assignment to service principal