Removal of an Azure Owner from an Application or Service Principal

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Azure Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Indicator Removal (T1070)

Severity

Informational

Description

An Azure Owner was removed from an application or service principal. This may indicate malicious activity or unauthorized access to the application or service.

Attacker's Goals

  • Remove owners from applications for full control of the application or service principal.
  • Manipulate or delete data stored in the Azure environment.

Investigative actions

  • Check the Azure Activity Log to identify which user removed the Azure Owner.
  • Check the Azure Role Assignments to identify the current Azure Owners.
  • Check the Application or Service Principal to identify if any changes have been made.