Rules Contributing to Microsoft Entra Application Configuration Changes Alert

The following rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

More details

Rule ID

azure_16

Query

{'selection': {'properties_message': ['Update Application', 'Update Service principal']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,1b45b0d1-773f-4f23-aedc-814b759563b1

Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, PERSISTENCE, T1078.004, T1552

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/06/02	high	When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.

Added Credentials to Existing Application

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

More details

Rule ID

azure_18

Query

{'selection': {'properties_message': ['Update Application-Certificates and secrets management', 'Update Service principal/Update Application']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,cbb67ecc-fb70-4467-9350-c910bdf7c628

Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'

Tactics, Techniques, and Procedures

PERSISTENCE, T1098.001

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/05/26	high	When credentials are added/removed as part of the normal working hours/workflows

Added Owner To Application

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

More details

Rule ID

azure_23

Query

{'selection': {'properties_message': 'Add owner to application'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,74298991-9fc4-460e-a92e-511aa60baec1

Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'

Tactics, Techniques, and Procedures

PERSISTENCE, T1078.004

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
experimental	2022/06/02	medium	When a new application owner is added by an administrator