🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Quick Mail Consent (MS O365)

detectors

The Mail.Read and Mail.ReadWrite delegated permissions are extremely sensitive permissions that can allow access to user email without a signed-in user. Secureworks® Taegis™ XDR’s Office 365 Quick Mail Consent Detector monitors your Office 365 audit logs for applications granted Mail.Read or Mail.ReadWrite permissions, and related application consent logs that occur within a short period of time. The time period is calibrated according to attack patterns by known threat actors. Due to the sensitivity of the permission set being monitored and the detector monitoring for fully consented applications, alerts produced by this detector contain a high severity rating. Suppression is supported.

O365 Quick Mail Consent Alert Detector

O365 Quick Mail Consent Detector Alert

Requirements

This detector requires the following data sources, integrations, or schemas:

Inputs

Detections are from the following normalized sources:

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

Detector Testing

This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.

Note

If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:o365-quick-mail-consent' 

References

 

On this page: