57 строки
2.4 KiB
YAML
57 строки
2.4 KiB
YAML
id: 2560515c-07d1-434e-87fb-ebe3af267760
|
|
name: Mail.Read Permissions Granted to Application
|
|
description: |
|
|
'This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: AzureActiveDirectory
|
|
dataTypes:
|
|
- AuditLogs
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- Persistence
|
|
relevantTechniques:
|
|
- T1098
|
|
tags:
|
|
- Solorigate
|
|
- NOBELIUM
|
|
query: |
|
|
|
|
AuditLogs
|
|
| where Category =~ "ApplicationManagement"
|
|
| where ActivityDisplayName has_any ("Add delegated permission grant","Add app role assignment to service principal")
|
|
| where Result =~ "success"
|
|
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
|
|
| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))
|
|
| mv-expand props
|
|
| extend UserAgent = tostring(AdditionalDetails[0].value)
|
|
| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
|
|
| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
|
|
| extend DisplayName = tostring(props.displayName)
|
|
| extend Permissions = tostring(parse_json(tostring(props.newValue)))
|
|
| where Permissions has_any ("Mail.Read", "Mail.ReadWrite")
|
|
| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)
|
|
| extend Type = tostring(TargetResources[0].type)
|
|
| project-away props
|
|
| join kind=leftouter(
|
|
AuditLogs
|
|
| where ActivityDisplayName has "Consent to application"
|
|
| extend AppName = tostring(TargetResources[0].displayName)
|
|
| extend AppId = tostring(TargetResources[0].id)
|
|
| project AppName, AppId, CorrelationId) on CorrelationId
|
|
| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress
|
|
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0 |