Applications Rules
3 detection rules in this category.
| Rule | Severity | MITRE | Source |
|---|---|---|---|
| App consent granted | High | T1098.001 | AuditLog |
| App role assigned to service principal | High | T1098.001 | AuditLog |
| Application credentials added | High | T1098.001 | AuditLog |
App consent granted
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
Application consent granted - check for illicit consent
Conditions
- Match: all
OperationEqualsConsent to application
App role assigned to service principal
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
Application permission assigned - check scope
Conditions
- Match: all
OperationEqualsAdd app role assignment to service principal
Application credentials added
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1098.001 (Persistence) |
New credentials added to application (secret or certificate)
Conditions
- Match: all
OperationContainsCertificates and secrets management