O365 Add App Role Assignment Grant User

name: O365 Add App Role Assignment Grant User
id: b2c81cc6-6040-11eb-ae93-0242ac130002
version: 10
date: '2026-03-10'
author: Rod Soto, Splunk
status: production
type: TTP
description: The following analytic detects the addition of an application role assignment grant to a user in Office 365. It leverages data from the `o365_management_activity` dataset, specifically monitoring the "Add app role assignment grant to user" operation. This activity is significant as it can indicate unauthorized privilege escalation or the assignment of sensitive roles to users. If confirmed malicious, this could allow an attacker to gain elevated permissions, potentially leading to unauthorized access to critical resources and data within the Office 365 environment.
data_source:
    - O365 Add app role assignment grant to user.
search: |-
    `o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user."
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY signature dest user
           src vendor_account vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_add_app_role_assignment_grant_user_filter`
how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
known_false_positives: The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
    - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
drilldown_searches:
    - name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ added a new app role assignment
    risk_objects:
        - field: user
          type: user
          score: 50
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Persistence Mechanisms
        - Cloud Federated Credential Abuse
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1136.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json
          sourcetype: o365:management:activity
          source: o365