The 'O365 Add User to app Role Assignment' detection rule focuses on identifying instances where an application is granted additional permissions within Office 365 and Azure Active Directory (AAD). This is significant as it reflects a potential security risk, particularly when applications are allowed to act on behalf of users without their explicit consent or oversight. The rule analyzes the logs associated with granting app role assignments to users, helping organizations to monitor unauthorized or unusual permission escalations that could lead to data breaches or exploitation of resources. It filters events related to app role assignment and investigates the associated parameters to ensure that these permissions are being managed properly and in line with organizational policies. The implemented logic operates in Splunk to retrieve and organize relevant cloud data, making it easier to audit actions taken within the O365 environment. Combining event timestamps, user details, and specific action identifiers provides actionable insights into user activity and application permissions dynamics, thereby enhancing the security posture against potential misuse.