KQL Search

Query Details

HomeAI ToolsDevice Query

Owner Added To High Privileged Application

Query

id: b6d4f7fe-2f5b-45e8-8f3d-b259ebe4100a
name: Owner added to high privileged application
version: 1.0.1
kind: Scheduled
description: An owner was added to application holding high privileged API permissions
severity: Medium
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
query: |-
  AuditLogs
  | where OperationName == "Add owner to application"
  | extend SearchKey = tostring(TargetResources[1].id)
  | join kind=inner _GetWatchlist('HighRiskApps') on SearchKey
  | extend TargetUser = tostring(TargetResources[0].userPrincipalName)
  | extend Actor = tostring(InitiatedBy.user.userPrincipalName)
  | extend TargetResourcesName = iff(isnotempty(TargetResources[0].displayName),TargetResources[0].displayName,TargetResources[0].id)
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    groupByAlertDetails: []
    lookbackDuration: 5h
    enabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  TargetApp: TargetResourcesName
entityMappings:
  - entityType: Account
    fieldMappings:
      - columnName: TargetUser
        identifier: FullName
  - entityType: Account
    fieldMappings:
      - columnName: Actor
        identifier: FullName
suppressionDuration: 5h

Explanation

This query is used to identify when an owner is added to an application with high privileged API permissions. It searches the AuditLogs for the operation "Add owner to application" and joins the results with a watchlist of high-risk apps. It also extends the search to include the target user and the actor who initiated the action. The query does not have suppression enabled and is set to create an incident when triggered. The incident grouping configuration is not enabled. The query has a lookback duration of 5 hours and the event grouping settings aggregate alerts per result. The custom details include the name of the target application. The query has a suppression duration of 5 hours.

Details

Fabian Bader profile picture

Fabian Bader

Released: August 12, 2023

Tables

AuditLogs

Keywords

Devices,Intune,User,AuditLogs,OperationName,Addownertoapplication,SearchKey,TargetResources,HighRiskApps,TargetUser,InitiatedBy,TargetResourcesName,IncidentConfiguration,GroupingConfiguration,EventGroupingSettings,TargetApp,Account,FullName,SuppressionDuration

Operators

|==extendjoinkind=inneroniffisnotemptytostring

Actions