Azure New Owner added to Azure Active Directory application

Classification:

attack

Tactic:

Technique:

Goal

Detect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism.

Monitor Azure Active Directory logs for @evt.name: "Add owner to application" has an @evt.outcome of success.

Review evidence of anomalous activity for the user being added as an owner (@properties.targetResources) for the Active Directory application.
Determine if there is a legitimate reason for the user being added to the application.