title: Azure Application Credential Modified
id: cdeef967-f9a1-4375-90ee-6978c5f23974
description: Identifies when a application credential is modified.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
references:
    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
logsource:
  product: azure
  service: activitylogs
detection:
    selection:
        properties.message: 'Update application - Certificates and secrets management'
    condition: selection
level: medium
tags:
    - attack.impact
falsepositives:
 - Application credential added may be performed by a system administrator. 
 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
 - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.