Application Granted EWS Permissions

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query finds AD applications with EWS permissions to read user mailboxes. Threat actors could misuse these for persistent mailbox access. Ensure these permissions are legitimately granted and necessary.

Attribute	Value
Type	Hunting Query
Solution	Cloud Identity Threat Protection Essentials
ID	c7941212-4ff9-4d2d-b38d-54d78fa087cc
Tactics	Collection, PrivilegeEscalation
Techniques	T1078.004, T1114.002
Required Connectors	AzureActiveDirectory, AzureActiveDirectoryIdentityProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	OperationName has "Add app role assignment to service principal"	✓	✗	?
SecurityAlert		✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to Cloud Identity Threat Protection Essentials