Owner Added To High Privileged Application
Query
AuditLogs
| where OperationName == "Add owner to application"
| extend SearchKey = tostring(TargetResources[1].id)
| join kind=inner _GetWatchlist('HighRiskApps') on SearchKey
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetResourcesName = iff(isnotempty(TargetResources[0].displayName),TargetResources[0].displayName,TargetResources[0].id)Explanation
This query is used to identify when an owner is added to an application with high privileged API permissions. It searches the AuditLogs for the operation "Add owner to application" and joins the results with a watchlist of high-risk apps. It also extends the search to include the target user and the actor who initiated the action. The query does not have suppression enabled and is set to create an incident when triggered. The incident grouping configuration is not enabled. The query has a lookback duration of 5 hours and the event grouping settings aggregate alerts per result. The custom details include the name of the target application. The query has a suppression duration of 5 hours.
Details

Fabian Bader
Released: August 12, 2023
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 30m
Period: 30m