Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mail.Read Permissions Granted to Application

Back
Id2560515c-07d1-434e-87fb-ebe3af267760
RulenameMail.Read Permissions Granted to Application
DescriptionThis query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml
Version1.0.3
Arm template2560515c-07d1-434e-87fb-ebe3af267760.json
Deploy To Azure
AuditLogs
| where Category =~ "ApplicationManagement"
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")  
| where Result =~ "success"
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| mv-apply TargetResource = TargetResources on 
  (
      where TargetResource.type =~ "ServicePrincipal" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)
      | extend props = TargetResource.modifiedProperties,
               Type = tostring(TargetResource.type),
               PermissionsAddedTo = tostring(TargetResource.displayName)
  )
| mv-apply Property = props on 
  (
      where Property.displayName =~ "DelegatedPermissionGrant.Scope"
      | extend DisplayName = tostring(Property.displayName), Permissions = trim('"',tostring(Property.newValue))
  )
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
| mv-apply AdditionalDetail = AdditionalDetails on 
  (
      where AdditionalDetail.key =~ "User-Agent"
      | extend UserAgent = tostring(AdditionalDetail.value)
  )
| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress)  
| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy
| join kind=leftouter(
  AuditLogs
  | where ActivityDisplayName has "Consent to application"
  | mv-apply TargetResource = TargetResources on 
      (
          where TargetResource.type =~ "ServicePrincipal"
          | extend AppName = tostring(TargetResource.displayName),
                   AppId = tostring(TargetResource.id)
      )
  | project AppName, AppId, CorrelationId) on CorrelationId
| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])
tags:
- Solorigate
- NOBELIUM
version: 1.0.3
name: Mail.Read Permissions Granted to Application
severity: Medium
queryFrequency: 1d
kind: Scheduled
queryPeriod: 1d
description: |
    'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
query: |
  AuditLogs
  | where Category =~ "ApplicationManagement"
  | where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")  
  | where Result =~ "success"
  | where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
  | mv-apply TargetResource = TargetResources on 
    (
        where TargetResource.type =~ "ServicePrincipal" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)
        | extend props = TargetResource.modifiedProperties,
                 Type = tostring(TargetResource.type),
                 PermissionsAddedTo = tostring(TargetResource.displayName)
    )
  | mv-apply Property = props on 
    (
        where Property.displayName =~ "DelegatedPermissionGrant.Scope"
        | extend DisplayName = tostring(Property.displayName), Permissions = trim('"',tostring(Property.newValue))
    )
  | where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
  | mv-apply AdditionalDetail = AdditionalDetails on 
    (
        where AdditionalDetail.key =~ "User-Agent"
        | extend UserAgent = tostring(AdditionalDetail.value)
    )
  | extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
  | extend UserIPAddress = tostring(InitiatedBy.user.ipAddress)  
  | project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy
  | join kind=leftouter(
    AuditLogs
    | where ActivityDisplayName has "Consent to application"
    | mv-apply TargetResource = TargetResources on 
        (
            where TargetResource.type =~ "ServicePrincipal"
            | extend AppName = tostring(TargetResource.displayName),
                     AppId = tostring(TargetResource.id)
        )
    | project AppName, AppId, CorrelationId) on CorrelationId
  | project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
  | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])  
tactics:
- Persistence
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: UserIPAddress
    identifier: Address
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
status: Available
relevantTechniques:
- T1098
id: 2560515c-07d1-434e-87fb-ebe3af267760
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2560515c-07d1-434e-87fb-ebe3af267760')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2560515c-07d1-434e-87fb-ebe3af267760')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Mail.Read Permissions Granted to Application",
        "description": "'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")  \n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"ServicePrincipal\" and array_length(TargetResource.modifiedProperties) > 0 and isnotnull(TargetResource.displayName)\n      | extend props = TargetResource.modifiedProperties,\n               Type = tostring(TargetResource.type),\n               PermissionsAddedTo = tostring(TargetResource.displayName)\n  )\n| mv-apply Property = props on \n  (\n      where Property.displayName =~ \"DelegatedPermissionGrant.Scope\"\n      | extend DisplayName = tostring(Property.displayName), Permissions = trim('\"',tostring(Property.newValue))\n  )\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| mv-apply AdditionalDetail = AdditionalDetails on \n  (\n      where AdditionalDetail.key =~ \"User-Agent\"\n      | extend UserAgent = tostring(AdditionalDetail.value)\n  )\n| extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)\n| extend UserIPAddress = tostring(InitiatedBy.user.ipAddress)  \n| project-away props, TargetResource*, AdditionalDetail*, Property, InitiatedBy\n| join kind=leftouter(\n  AuditLogs\n  | where ActivityDisplayName has \"Consent to application\"\n  | mv-apply TargetResource = TargetResources on \n      (\n          where TargetResource.type =~ \"ServicePrincipal\"\n          | extend AppName = tostring(TargetResource.displayName),\n                   AppId = tostring(TargetResource.id)\n      )\n  | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "UserIPAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml",
        "status": "Available",
        "templateVersion": "1.0.3",
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ]
      }
    }
  ]
}