O365 Application Registration Owner Added

name: O365 Application Registration Owner Added
id: c068d53f-6aaa-4558-8011-3734df878266
version: 7
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
    - O365 Add owner to application.
description: The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload. This activity is significant because assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. If confirmed malicious, an attacker could modify the application's settings, permissions, and behavior, leading to unauthorized data access, privilege escalation, or the introduction of malicious behavior within the application's operations.
search: "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add owner to application.\" | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0) | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product app_id app_displayName object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_application_registration_owner_added_filter`"
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: Application owners may be added for legitimate reasons, filter as needed.
references:
    - https://attack.mitre.org/techniques/T1098/
    - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Application registration $app_displayName$ was assigned a new owner $object$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Persistence Mechanisms
        - NOBELIUM Group
    asset_type: O365 Tenant
    atomic_guid: []
    mitre_attack_id:
        - T1098
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log
          source: o365
          sourcetype: o365:management:activity