Applications Rules
3 detection rules in this category.
| Rule | Severity | MITRE | Source |
|---|---|---|---|
| App role assigned to service principal | High | T1098.001 | AuditLog |
| Application credentials added | High | T1098.001 | AuditLog |
| OAuth app consent granted | High | T1098.001 | AuditLog |
App role assigned to service principal
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
Application permission assigned - check scope
Conditions
- Match: all
OperationEqualsAdd app role assignment to service principal
Application credentials added
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
New credentials added to application - verify legitimacy
Conditions
- Match: all
OperationEqualsAdd service principal credentials
OAuth app consent granted
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
OAuth application consent granted - check for illicit consent
Conditions
- Match: all
OperationEqualsConsent to application