security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Remove OIDC email scope from Microsoft Graph Email Access Rule (#5856)

Browse Source 
* [Rule Tuning] Remove OIDC email scope from Microsoft Graph Email Access Rule

* removing mailboxSettings FPs

* updated query optimization & format
This commit is contained in:
Terrance DeJesus
2026-03-23 10:08:47 -04:00
committed by GitHub
parent 53553e0bfb
commit c0abe39f8a
1 changed files with 18 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
+18 -16
View File
@@ -2,7 +2,7 @@
creation_date = "2025/05/06"
integration = ["azure"]
maturity = "production"
updated_date = "2025/12/17"
updated_date = "2026/03/19"
[rule]
author = ["Elastic"]
@@ -68,6 +68,7 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: Email",
"Data Source: Azure",
"Data Source: Microsoft Graph",
"Data Source: Microsoft Graph Activity Logs",
@@ -79,21 +80,22 @@ timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset: "azure.graphactivitylogs" and
azure.graphactivitylogs.properties.app_id: * and
azure.graphactivitylogs.result_signature: 200 and
azure.graphactivitylogs.properties.c_idtyp: "user" and
azure.graphactivitylogs.properties.client_auth_method: 0 and
http.request.method: (GET or POST or PUT or PATCH or DELETE) and (
url.path: (/v1.0/me/*cc or /v1.0/users/*) and
(
url.path: (*mail* or *messages* or *inbox*) or
azure.graphactivitylogs.properties.requestUri: (*mail* or *messages* or *inbox*)
) or
azure.graphactivitylogs.properties.scopes: (
"Mail.Read" or "Mail.ReadWrite" or "Mail.Send" or "email"
)
)
event.dataset:azure.graphactivitylogs
and azure.graphactivitylogs.properties.app_id:*
and azure.graphactivitylogs.result_signature:200
and azure.graphactivitylogs.properties.c_idtyp:user
and azure.graphactivitylogs.properties.client_auth_method:0
and http.request.method:(DELETE or GET or PATCH or POST or PUT)
and (
(
url.path:(/v1.0/me/*cc or /v1.0/users/*)
and (
url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)
or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)
)
)
or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)
)
'''