AuditLogs
| where Category =~ "ApplicationManagement"
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
| where Result =~ "success"
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "ServicePrincipal" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)
| extend props = TargetResource.modifiedProperties,
Type = tostring(TargetResource.type),
PermissionsAddedTo = tostring(TargetResource.displayName)
)
| mv-apply Property = props on
(
where Property.displayName =~ "DelegatedPermissionGrant.Scope"
| extend DisplayName = tostring(Property.displayName), Permissions = trim('"',tostring(Property.newValue))
)
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
| mv-apply AdditionalDetail = AdditionalDetails on
(
where AdditionalDetail.key =~ "User-Agent"
| extend InitiatingUserAgent = tostring(AdditionalDetail.value)
)
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-away props, TargetResource, AdditionalDetail, Property
| join kind=leftouter(
AuditLogs
| where ActivityDisplayName has "Consent to application"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "ServicePrincipal"
| extend AppName = tostring(TargetResource.displayName),
AppId = tostring(TargetResource.id)
)
| project AppName, AppId, CorrelationId) on CorrelationId
| project-away CorrelationId1
| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
description: |
'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/MailPermissionsAddedToApplication.yaml
severity: Medium
name: Mail.Read Permissions Granted to Application
triggerThreshold: 0
queryPeriod: 1d
query: |
AuditLogs
| where Category =~ "ApplicationManagement"
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
| where Result =~ "success"
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "ServicePrincipal" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)
| extend props = TargetResource.modifiedProperties,
Type = tostring(TargetResource.type),
PermissionsAddedTo = tostring(TargetResource.displayName)
)
| mv-apply Property = props on
(
where Property.displayName =~ "DelegatedPermissionGrant.Scope"
| extend DisplayName = tostring(Property.displayName), Permissions = trim('"',tostring(Property.newValue))
)
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
| mv-apply AdditionalDetail = AdditionalDetails on
(
where AdditionalDetail.key =~ "User-Agent"
| extend InitiatingUserAgent = tostring(AdditionalDetail.value)
)
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| project-away props, TargetResource, AdditionalDetail, Property
| join kind=leftouter(
AuditLogs
| where ActivityDisplayName has "Consent to application"
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "ServicePrincipal"
| extend AppName = tostring(TargetResource.displayName),
AppId = tostring(TargetResource.id)
)
| project AppName, AppId, CorrelationId) on CorrelationId
| project-away CorrelationId1
| project-reorder TimeGenerated, OperationName, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
relevantTechniques:
- T1098
id: 2560515c-07d1-434e-87fb-ebe3af267760
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.4
tags:
- Solorigate
- NOBELIUM
entityMappings:
- entityType: Account
fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
- entityType: Account
fieldMappings:
- columnName: InitiatingAppServicePrincipalId
identifier: AadUserId
- entityType: IP
fieldMappings:
- columnName: InitiatingIpAddress
identifier: Address
