Name:O365 Add App Role Assignment Grant User id:b2c81cc6-6040-11eb-ae93-0242ac130002 version:4 date:2024-09-30 author:Rod Soto, Splunk status:production type:TTP Description:The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the "Add app role assignment grant to user" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment. Data_source:
-O365 Add app role assignment grant to user.
search:`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type values(ModifiedProperties{}.Name) as modified_properties_name by user dest ResultStatus Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`
how_to_implement:You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives:The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider. References: -https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf -https://www.cisa.gov/uscert/ncas/alerts/aa21-008a drilldown_searches: name:'View the detection results for - "$user$" and "$dest$"' search:'%original_detection_search% | search user = "$user$" dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$" and "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Persistence Mechanisms' - 'Cloud Federated Credential Abuse' asset_type:O365 Tenant confidence:60 impact:30 message:User $user$ has created a new federation setting $modified_properties_name$ on $dest$ mitre_attack_id: - 'T1136.003' - 'T1136' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Workload' - 'Operation' - 'Actor{}.ID' - 'Actor{}.Type' - 'UserId' - 'dest' - 'ResultStatus' risk_score:18 security_domain:threat
