security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/deprecated/cloud/azure_app_credential_modification.yml
T
peterydzynski 8b41e6bfdf Merge PR #5542 from @peterydzynski - remove Azure Application Credential Modified 
remove: Azure Application Credential Modified - superseeded by cbb67ecc-fb70-4467-9350-c910bdf7c628

---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2025-10-17 12:14:11 +02:00

24 lines
942 B
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
status: deprecated
description: Identifies when a application credential is modified.
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
author: Austin Songer @austinsonger
date: 2021-09-02
modified: 2025-10-17
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: 'Update application Certificates and secrets management'
condition: selection
falsepositives:
- Application credential added may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Reference in New Issue View Git Blame Copy Permalink