This detection rule monitors for the assignment of the ApplicationImpersonation role within Office 365. It leverages the Office 365 Management Activity API to scrutinize Azure Active Directory audit logs for any events related to the 'New-ManagementRoleAssignment' operation that indicate the ApplicationImpersonation role has been granted. This role is critical as it permits a user or application to impersonate other users, facilitating potential unauthorized access to their mailboxes and sensitive data. If an attacker gains this role, they may manipulate mailbox content or exert control as a legitimate user, which poses a serious risk to organizational security. The implementation of this rule requires using the Splunk Microsoft Office 365 Add-on for ingesting relevant management activity events.