Merge pull request #1661 from Cyb3rWard0g/master
Update MailPermissionsAddedToApplication.yaml
This commit is contained in:
Коммит
eb818b4448
|
@ -1,7 +1,7 @@
|
|||
id: 2560515c-07d1-434e-87fb-ebe3af267760
|
||||
name: Mail.Read Permissions Granted to Application
|
||||
description: |
|
||||
'This query look for applications that have been granted permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
|
||||
'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
@ -21,7 +21,7 @@ query: |
|
|||
|
||||
AuditLogs
|
||||
| where Category =~ "ApplicationManagement"
|
||||
| where ActivityDisplayName =~ "Add delegated permission grant"
|
||||
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
|
||||
| where Result =~ "success"
|
||||
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
|
||||
| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))
|
||||
|
|
Загрузка…
Ссылка в новой задаче