From c0abe39f8a7c9a96ed94d3f9917fa1a2bac4a5d2 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Mon, 23 Mar 2026 10:08:47 -0400
Subject: [PATCH] [Rule Tuning] Remove OIDC email scope from Microsoft Graph
 Email Access Rule (#5856)

* [Rule Tuning] Remove OIDC email scope from Microsoft Graph Email Access Rule

* removing mailboxSettings FPs

* updated query optimization & format
---
 ...ss_by_unusual_public_client_via_graph.toml | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
index 734246e18..3f48cab4c 100644
--- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
+++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -68,6 +68,7 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc"
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: Email",
     "Data Source: Azure",
     "Data Source: Microsoft Graph",
     "Data Source: Microsoft Graph Activity Logs",
@@ -79,21 +80,22 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset: "azure.graphactivitylogs" and
-azure.graphactivitylogs.properties.app_id: * and
-azure.graphactivitylogs.result_signature: 200 and
-azure.graphactivitylogs.properties.c_idtyp: "user" and
-azure.graphactivitylogs.properties.client_auth_method: 0 and
-http.request.method: (GET or POST or PUT or PATCH or DELETE) and (
-  url.path: (/v1.0/me/*cc or /v1.0/users/*) and
-  (
-    url.path: (*mail* or *messages* or *inbox*) or
-    azure.graphactivitylogs.properties.requestUri: (*mail* or *messages* or *inbox*)
-  ) or
-  azure.graphactivitylogs.properties.scopes: (
-    "Mail.Read" or "Mail.ReadWrite" or "Mail.Send" or "email"
-  )
-)
+event.dataset:azure.graphactivitylogs
+    and azure.graphactivitylogs.properties.app_id:*
+    and azure.graphactivitylogs.result_signature:200
+    and azure.graphactivitylogs.properties.c_idtyp:user
+    and azure.graphactivitylogs.properties.client_auth_method:0
+    and http.request.method:(DELETE or GET or PATCH or POST or PUT)
+    and (
+        (
+            url.path:(/v1.0/me/*cc or /v1.0/users/*)
+            and (
+                url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)
+                or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)
+            )
+        )
+        or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)
+    )
 '''