Credential added to rarely used Azure AD application

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.

Strategy

Monitor Azure AD Audit logs for the following @evt.name:

  • Update application – Certificates and secrets management
  • Add service principal credentials

Monitor Microsoft 365 Audit logs for the following @evt.name:

  • Update application – Certificates and secrets management
  • Add service principal credentials.

An attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the New Value detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.

Triage and response

  1. Determine if {{@usr.id}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
    • Remove the suspicious key.
    • Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.
    • Begin your organization’s Incident Response (IR) process.
  3. If the API call was made by the user:
    • Ensure the change was authorized.

Changelog

2 November 2022 - Updated severity.

PREVIEWING: mervebolat/span-id-preprocessing