Azure Service Principal was assigned a role
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect an Azure service principal being assigned an Azure role.
Strategy
Monitor Azure Activity logs for the following operations:
@evt.name:"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"@properties.requestbody:*ServicePrincipal*
Triage and response
- Determine if this activity is legitimate by investigating the:
- Source IP of this activity:
{{@network.client.ip}} - The user who made this request:
@identity.claims.name - The role that was assigned to the application or service principal.
- If this user should not be assigning this Azure role and if the service principal should not be assigned this role:
- Revoke access of compromised credentials.
- Remove unauthorized app registration and/or service principal.
- Investigate other activities performed by the source IP
{{@network.client.ip}} in the IP Investigation Dashboard. - Investigate other activities performed by the user
{{@usr.id}} in the User Investigation Dashboard.
