Adversaries may alter application ownership to gain unauthorized access or escalate privileges within the environment. Proactively hunting for unexpected changes to application ownership in Azure Sentinel helps identify potential privilege escalation or lateral movement tactics early.
KQL Query
AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Add owner to application"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetUserPrincipalName = TargetResources[0].userPrincipalName
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend mod_props = TargetResources[0].modifiedProperties
| mv-expand mod_props
| where mod_props.displayName =~ "Application.DisplayName"
| extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))
| extend AddedUser = TargetUserPrincipalName
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy
id: cc5780ce-3245-4bba-8bc1-e9048c2257ce
name: Changes to Application Ownership
description: |
'Detects changes to the ownership of an appplicaiton.
Monitor these changes to make sure that they were authorized.
Ref: https://learn.microsoft.com/en-gb/entra/architecture/security-operations-applications#new-owner'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
AuditLogs
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Add owner to application"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetUserPrincipalName = TargetResources[0].userPrincipalName
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend mod_props = TargetResources[0].modifiedProperties
| mv-expand mod_props
| where mod_props.displayName =~ "Application.DisplayName"
| extend TargetAppName = tostring(parse_json(tostring(mod_props.newValue)))
| extend AddedUser = TargetUserPrincipalName
| extend UpdatedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingAadUserId, InitiatingUserPrincipalName, InitiatingIPAddress, TargetAppName, AddedUser, UpdatedBy
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUserPrincipalName
- identifier: Name
columnName: TargetAccountName
- identifier: UPNSuffix
columnName: TargetAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: TargetAadUserId
version: 1.1.2
kind: Scheduled
metadata:
source:
| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Updates Application Ownership
Description: A scheduled job (e.g., Microsoft Endpoint Manager (MEM) or Azure DevOps pipeline) runs a script that updates application ownership as part of a routine configuration management task.
Filter/Exclusion: ProcessName == "TaskScheduler.exe" OR ProcessName == "AzureDevOps.exe" OR ProcessName == "msiexec.exe"
Scenario: Admin Task to Reassign Application Ownership
Description: A system administrator manually reassigns ownership of an application through the Microsoft Entra ID admin center or via PowerShell using the Set-AzureADApplication cmdlet.
Filter/Exclusion: User == "[email protected]" OR User == "[email protected]" OR ProcessName == "powershell.exe" AND CommandLine LIKE "%Set-AzureADApplication%"
Scenario: Application Migration via Azure AD Connect
Description: During an Azure AD Connect synchronization or migration, application ownership is updated as part of directory synchronization.
Filter/Exclusion: ProcessName == "AzureADConnect.exe" OR ProcessName == "adsync.exe" OR User == "[email protected]"
Scenario: Third-Party Tool for Application Management
Description: A third-party tool (e.g., Okta, Azure AD B2C, or Microsoft 365 Admin Center) updates application ownership as part of its normal operation.
Filter/Exclusion: User == "[email protected]" OR User == "[email protected]" OR ProcessName == "okta.exe" OR ProcessName == "m365.exe"
Scenario: Testing or Development Environment Changes
Description: In a test or development environment, an application’s ownership is changed as part of a test scenario or CI/CD pipeline