Query Details

Owner Added To High Privileged Application

Query

AuditLogs
| where OperationName == "Add owner to application"
| extend SearchKey = tostring(TargetResources[1].id)
| join kind=inner _GetWatchlist('HighRiskApps') on SearchKey
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetResourcesName = iff(isnotempty(TargetResources[0].displayName),TargetResources[0].displayName,TargetResources[0].id)

Explanation

This query is used to identify when an owner is added to an application with high privileged API permissions. It searches the AuditLogs for the operation "Add owner to application" and joins the results with a watchlist of high-risk apps. It also extends the search to include the target user and the actor who initiated the action. The query does not have suppression enabled and is set to create an incident when triggered. The incident grouping configuration is not enabled. The query has a lookback duration of 5 hours and the event grouping settings aggregate alerts per result. The custom details include the name of the target application. The query has a suppression duration of 5 hours.

Details

Fabian Bader profile picture

Fabian Bader

Released: August 12, 2023

Tables

AuditLogs

Keywords

DevicesIntuneUserAuditLogsOperationNameAdd owner to applicationSearchKeyTargetResourcesHighRiskAppsTargetUserInitiatedByTargetResourcesNameIncidentConfigurationGroupingConfigurationEventGroupingSettingsTargetAppAccountFullNameSuppressionDuration

Operators

|==extendjoinkind=inneroniffisnotemptytostring

Severity

Medium

Tactics

PrivilegeEscalation

Frequency: 30m

Period: 30m

Actions

GitHub