heroui logo

Azure Service Principal Removed

Sigma Rules

View Source
Summary
This detection rule identifies events where a service principal has been removed within Microsoft Azure. Service principals are crucial for allowing applications to access cloud resources and services securely. The removal of a service principal can indicate potentially malicious behavior, especially if conducted by unauthorized users. The detection leverages Azure Activity Logs and specifically looks for log entries with a message stating 'Remove service principal'. It's important to monitor such events to ensure that authorized changes are being made by legitimate users and to detect any defense-evasion tactics that may be employed by malicious actors. This rule is classified as medium severity, indicating it warrants attention but may not necessarily indicate an immediate threat. Administrators should investigate removal actions closely, particularly if they originate from unfamiliar user accounts, and they should also be aware of legitimate operational changes that may lead to false positives.
Categories
  • Cloud
  • Azure
  • Identity Management
Data Sources
  • Cloud Service
  • Application Log
Created: 2021-09-03