Merge PR #5054 from @gregorywychowaniec-zt - Update `App Assigned To …

…Azure RBAC/Microsoft Entra Role` update: App Assigned To Azure RBAC/Microsoft Entra Role - Add a constraint to limit the detection to service principal only --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Nov 20, 2024 · 6f4c6d7 · 6f4c6d7
1 parent 41a5914
commit 6f4c6d7
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/rules/cloud/azure/audit_logs/azure_app_role_added.yml b/rules/cloud/azure/audit_logs/azure_app_role_added.yml
@@ -1,11 +1,12 @@
-title: App Role Added
+title: App Assigned To Azure RBAC/Microsoft Entra Role
 id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
 status: test
 description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
 references:
     - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
 author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
 date: 2022-07-19
+modified: 2024-11-04
 tags:
     - attack.persistence
     - attack.privilege-escalation
@@ -15,6 +16,7 @@ logsource:
     service: auditlogs
 detection:
     selection:
+        targetResources.type: 'Service Principal'
         properties.message:
             - Add member to role
             - Add eligible member to role