title: Added Credentials to Existing Application
id: cbb67ecc-fb70-4467-9350-c910bdf7c628
description: Detects when a new credential is added to an existing applcation. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.  
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022/05/26
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    properties.message: 
      - Update Application-Certificates and secrets management
      - Update Service principal/Update Application
  condition: selection
falsepositives:
  - When credentials are added/removed as part of the normal working hours/workflows
level: high
status: experimental
tags: 
  - attack.t1098
  - attack.persistence