SIEM × Platform · Sentinel · Azure Activity

Sentinel detections for Azure Activity

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Azure Activity schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
27
Production rules
26
ATT&CK techniques
9
ATT&CK tactics
Sentinel
Output dialect
02 Rule index
Technique Rule Severity Log source
T1040 Network Sniffing on Azure Activity medium Azure Activity
T1059 Command and Scripting Interpreter on Azure Activity medium Azure Activity
T1078 Valid Accounts on Azure Activity medium Azure Activity
T1078.004 Valid Accounts: Cloud Accounts on Azure Activity medium Azure Activity
T1087 Account Discovery on Azure Activity medium Azure Activity
T1087.004 Account Discovery: Cloud Account on Azure Activity medium Azure Activity
T1098 Account Manipulation on Azure Activity medium Azure Activity
T1098.001 Account Manipulation: Additional Cloud Credentials on Azure Activity medium Azure Activity
T1110 Brute Force on Azure Activity medium Azure Activity
T1190 Exploit Public-Facing Application on Azure Activity medium Azure Activity
T1213 Data from Information Repositories on Azure Activity medium Azure Activity
T1485 Data Destruction on Azure Activity medium Azure Activity
T1486 Data Encrypted for Impact on Azure Activity medium Azure Activity
T1491 Defacement on Azure Activity medium Azure Activity
T1496 Resource Hijacking on Azure Activity medium Azure Activity
T1498 Network Denial of Service on Azure Activity medium Azure Activity
T1525 Implant Internal Image on Azure Activity medium Azure Activity
T1526 Cloud Service Discovery on Azure Activity medium Azure Activity
T1528 Steal Application Access Token on Azure Activity medium Azure Activity
T1530 Data from Cloud Storage Object on Azure Activity medium Azure Activity
T1548 Abuse Elevation Control Mechanism on Azure Activity medium Azure Activity
T1548 Abuse Elevation Control Mechanism on Azure Activity medium Azure Activity
T1552.001 Unsecured Credentials: Credentials In Files on Azure Activity medium Azure Activity
T1556 Modify Authentication Process on Azure Activity medium Azure Activity
T1580 Cloud Infrastructure Discovery on Azure Activity medium Azure Activity
T1685 Disable or Modify Tools on Azure Activity medium Azure Activity
T1686.001 Disable or Modify System Firewall: Cloud Firewall on Azure Activity medium Azure Activity
03 Example rule

Azure Logic Apps Privilege Escalation via Improper Access Control, generated by CloudSigma and validated against the Sentinel dialect.

L1 · production verified 2026-06-06 · sha256:09ca4a86dd25281c Verify in CloudSigma →
Sigma rule · CloudSigma Sentinel · Azure Activity · 2026/05/15 
id: be5a60f1-4785-4201-842f-78c92b8156d1
title: Azure Logic Apps Privilege Escalation via Improper Access Control
status: test
description: Detects privilege escalation attempts in Azure Logic Apps through improper access control mechanisms. Adversaries
  with authorized access abuse Logic Apps' access control to elevate privileges over the network. This detection monitors
  for operations that modify Logic App access policies or role assignments, which are common vectors for privilege escalation
  in Logic Apps environments.
author: CloudSigma
date: 2026/05/15
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-42823
- https://attack.mitre.org/techniques/T1548/
tags:
- attack.privilege_escalation
- attack.stealth
- attack.t1548
logsource:
  product: azure
  service: activitylogs
detection:
  condition: selection_operation and selection_target_type
  selection_operation:
    operationName:
    - Microsoft.Logic/workflows/accessKeys/write
    - Microsoft.Logic/workflows/accessKeys/action
    - Microsoft.Logic/workflows/providers/roleAssignments/write
    - Microsoft.Logic/integrationAccounts/accessKeys/write
  selection_target_type:
    properties.targetResources.type|startswith: Microsoft.Logic/
falsepositives:
- Legitimate Logic App access key rotation during maintenance windows
- Infrastructure-as-Code deployments provisioning Logic Apps with role assignments
- Authorized administrators configuring Logic App access policies for legitimate business workflows
- Service principal operations during Logic App migration or disaster recovery procedures
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Sentinel documentation, https://docs.sentinel.com/
Last verified: 2026-06-06