
Summary
This detection rule aims to identify instances where highly privileged delegated permissions are granted to applications on behalf of all users within an Azure environment. Granting such permissions can pose significant security risks, as it may allow an application to have access to sensitive information or perform actions that could lead to unauthorized access or breaches. The rule looks for specific log entries in Azure audit logs that indicate when a permission grant event occurs, specifically targeting messages that include the phrase 'Add delegated permission grant'. The implementation of this rule is critical for security teams who need to monitor and investigate potential abuse of permissions within their Azure applications. Additionally, teams should be aware of false positives that may occur when permissions are legitimately required for app functionality, necessitating a careful review process when such alerts are triggered.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Cloud Service
- Application Log
Created: 2022-07-28