Actor
Azure AD Privileged Graph API Permission Assignment
2 rules 1 TTPDetection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.
Azure AD FullAccessAsApp Permission Assignment
2 rules 2 TTPsDetection of 'full_access_as_app' permission assignment to an application in Office 365 Exchange Online, potentially leading to unauthorized access and data exfiltration.
O365 Service Principal Creation Detection
2 rules 1 TTPDetection of new service principal creation in O365 tenants, which can be abused by attackers for unauthorized access, API interaction, and data compromise.
O365 ApplicationImpersonation Role Assigned
2 rules 2 TTPsDetection of the ApplicationImpersonation role being assigned in Office 365, potentially leading to unauthorized mailbox access and impersonation.
O365 Application Registration Owner Added
3 rules 1 TTPA new owner added to an O365 application registration can grant significant control, potentially leading to unauthorized data access, privilege escalation, or malicious behavior.
Azure AD Tenant Wide Admin Consent Granted
2 rules 1 TTPDetection of admin consent granted to an application within an Azure AD tenant which could lead to data exfiltration and persistence.
Azure AD Service Principal Owner Added
2 rules 1 TTPDetection of a new owner being added to an Azure AD Service Principal, potentially indicating persistence or privilege escalation by an attacker exploiting the lack of multi-factor authentication on service principals.