heroui logo

O365 ApplicationImpersonation Role Assigned

Splunk Security Content

View Source
Summary
This detection rule monitors for the assignment of the ApplicationImpersonation role within Office 365. It leverages the Office 365 Management Activity API to scrutinize Azure Active Directory audit logs for any events related to the 'New-ManagementRoleAssignment' operation that indicate the ApplicationImpersonation role has been granted. This role is critical as it permits a user or application to impersonate other users, facilitating potential unauthorized access to their mailboxes and sensitive data. If an attacker gains this role, they may manipulate mailbox content or exert control as a legitimate user, which poses a serious risk to organizational security. The implementation of this rule requires using the Splunk Microsoft Office 365 Add-on for ingesting relevant management activity events.
Categories
  • Cloud
  • Application
  • Identity Management
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1098
  • T1098.002
Created: 2024-11-14