☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Quick Mail Consent (MS O365)

Mail.Read and Mail.ReadWrite delegated permissions are extremely sensitive permissions that can allow access to user email without a signed-in user. Secureworks® Taegis™ XDR’s Office 365 Quick Mail Consent Detector monitors your Office 365 audit logs for applications granted Mail.Read or Mail.ReadWrite permissions, and related application consent logs that occur within a short period of time. The time period is calibrated according to attack patterns by known threat actors. Due to the sensitivity of the permission set being monitored and the detector monitoring for fully consented applications, alerts produced by this detector contain a high severity rating. Suppression is supported.

O365 Quick Mail Consent Alert Detector

O365 Quick Mail Consent Detector Alert

Inputs ⫘

Microsoft Office 365 audit logs collected through the Microsoft Office 365 Management API integration and normalized to the CloudAudit schema in the XDR data lake.

Outputs ⫘

Alerts generated by Tactic Graphs™ Detector are pushed to the XDR Alert Triage Dashboard.

MITRE ATT&CK Category ⫘

MITRE Enterprise ATT&CK - Defense Evasion - Valid Accounts - Cloud Accounts. For more information, see MITRE Technique T1078.004.
MITRE Enterprise ATT&CK - Persistence - Account Manipulation - Exchange Email Delegate Permissions. For more information, see MITRE Technique T1098.002.

Configuration Options ⫘

None

Detector Requirements ⫘

Microsoft Office 365 Management API audit logs

On this page:

Inputs
Outputs
MITRE ATT&CK Category
Configuration Options
Detector Requirements