Azure application credentials added

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
ATT&CK Tactic	Defense Evasion (TA0005) Persistence (TA0003)
ATT&CK Technique	Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
Severity	Informational

An identity added credentials to an Azure application.

An attacker may add certificates or modify authentication methods of an application to authenticate as the application.

Check if the modified application is new to the organization.
Check whether the account that modified the credentials is supposed to perform such actions.
Check for possible logins from the application modified.
Follow further actions done by the application.

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

An identity added a certificate to an Azure application in a suspicious way.

An attacker may add certificates or modify authentication methods of an application to authenticate as the application.

Check if the modified application is new to the organization.
Check whether the account that modified the credentials is supposed to perform such actions.
Check for possible logins from the application modified.
Follow further actions done by the application.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

An identity added a certificate to an Azure application with some unusual parameters.

An attacker may add certificates or modify authentication methods of an application to authenticate as the application.

Check if the modified application is new to the organization.
Check whether the account that modified the credentials is supposed to perform such actions.
Check for possible logins from the application modified.
Follow further actions done by the application.