Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mail.Read Permissions Granted to Application

Back
Id2560515c-07d1-434e-87fb-ebe3af267760
RulenameMail.Read Permissions Granted to Application
DescriptionThis query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml
Version1.0.1
Arm template2560515c-07d1-434e-87fb-ebe3af267760.json
Deploy To Azure
AuditLogs
| where Category =~ "ApplicationManagement"
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
| where Result =~ "success"
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))
| mv-expand props
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend DisplayName = tostring(props.displayName)
| extend Permissions = tostring(parse_json(tostring(props.newValue)))
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)
| extend Type = tostring(TargetResources[0].type)
| project-away props
| join kind=leftouter(
  AuditLogs
  | where ActivityDisplayName has "Consent to application"
  | extend AppName = tostring(TargetResources[0].displayName)
  | extend AppId = tostring(TargetResources[0].id)
  | project AppName, AppId, CorrelationId) on CorrelationId
| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress
version: 1.0.1
status: Available
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
kind: Scheduled
queryPeriod: 1d
severity: Medium
query: |
  AuditLogs
  | where Category =~ "ApplicationManagement"
  | where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
  | where Result =~ "success"
  | where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
  | extend props = parse_json(tostring(TargetResources[0].modifiedProperties))
  | mv-expand props
  | extend UserAgent = tostring(AdditionalDetails[0].value)
  | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | extend DisplayName = tostring(props.displayName)
  | extend Permissions = tostring(parse_json(tostring(props.newValue)))
  | where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
  | extend PermissionsAddedTo = tostring(TargetResources[0].displayName)
  | extend Type = tostring(TargetResources[0].type)
  | project-away props
  | join kind=leftouter(
    AuditLogs
    | where ActivityDisplayName has "Consent to application"
    | extend AppName = tostring(TargetResources[0].displayName)
    | extend AppId = tostring(TargetResources[0].id)
    | project AppName, AppId, CorrelationId) on CorrelationId
  | project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress  
tags:
- Solorigate
- NOBELIUM
triggerOperator: gt
id: 2560515c-07d1-434e-87fb-ebe3af267760
description: |
    'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
triggerThreshold: 0
name: Mail.Read Permissions Granted to Application
relevantTechniques:
- T1098
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2560515c-07d1-434e-87fb-ebe3af267760')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2560515c-07d1-434e-87fb-ebe3af267760')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Mail.Read Permissions Granted to Application",
        "description": "'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| project-away props\n| join kind=leftouter(\n  AuditLogs\n  | where ActivityDisplayName has \"Consent to application\"\n  | extend AppName = tostring(TargetResources[0].displayName)\n  | extend AppId = tostring(TargetResources[0].id)\n  | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/MailPermissionsAddedToApplication.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}