Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit). The default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all. Consent to applications with these perm
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Entra ID |
| ID | f948a32f-226c-4116-bddd-d95e91d97eb9 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess, DefenseEvasion |
| Techniques | T1528, T1550 |
| Required Connectors | AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AuditLogs |
OperationName in "Add OAuth2PermissionGrant,Add delegated permission grant,Add service principal,Consent to application" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊