KQL Search

Query Details

HomeAI ToolsDevice Query

Application Mail Permission

Query

#  List applications with Mail.* API permissions

## Query Information

#### Description
The query below lists the applications that have Mail.* Graph API permissions. These permissions are highly sensitive as it can give access to individual or shared mailboxes.

#### Risk
The Mail.* permissions grand access to mail data, which is considered highly sensitive. The permissions can be abused to get unautorized access to mailboxes.

## Defender XDR
```KQL
OAuthAppInfo
| where Permissions has "Mail."
| summarize arg_max(Timestamp, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where PermissionValue startswith "Mail."
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOrigin
```

## Sentinel
```KQL
OAuthAppInfo
| where Permissions has "Mail."
| summarize arg_max(TimeGenerated, *) by OAuthAppId
| mv-expand Permissions
| extend PermissionValue = tostring(Permissions.PermissionValue), InUse = tobool(Permissions.InUse), PrivilegeLevel = tostring(Permissions.PrivilegeLevel)
| where PermissionValue startswith "Mail."
| summarize TotalMailPermissions = dcount(PermissionValue), Permissions = make_set(PermissionValue) by OAuthAppId, AppName, AppOrigin
```

Explanation

This query is designed to identify applications that have been granted permissions related to accessing mail data through the Microsoft Graph API. Specifically, it looks for applications with permissions that start with "Mail.", which are considered highly sensitive because they can provide access to individual or shared mailboxes.

Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing a dataset called OAuthAppInfo, which contains information about applications and their permissions.

  2. Filter for Mail Permissions: The query filters the data to only include applications that have permissions related to mail (those containing "Mail.").

  3. Select Latest Entry: For each application, it selects the most recent entry based on a timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel).

  4. Expand Permissions: It expands the permissions to analyze each one individually.

  5. Extract Permission Details: It extracts details about each permission, including its value, whether it's currently in use, and its privilege level.

  6. Filter for Specific Mail Permissions: It further filters the permissions to only include those that specifically start with "Mail.".

  7. Summarize Results: Finally, it summarizes the results by counting the total number of mail-related permissions for each application and lists these permissions. It groups the results by application ID, name, and origin.

Overall, this query helps identify applications with potentially risky access to mail data, allowing for further investigation or action to mitigate unauthorized access risks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 14, 2025

Tables

OAuthAppInfo

Keywords

OAuthAppInfoPermissionsOAuthAppIdAppNameAppOriginTimestampTimeGeneratedPermissionValueInUsePrivilegeLevel

Operators

hassummarizearg_maxbymv-expandextendtostringtoboolstartswithdcountmake_set

Actions