Link Search Menu Expand Document

Exchange_Uncommon_Operations

ID: 100200

Description:

A user performed an uncommon or administrative Exchange operation

Repository: Fluency Group: Office365 Type: event

Default Status:

Enabled

Tags:    
Office365 M365 O365
     

Selector:

Query:

Filters:

Field MUST hit
@fields.Workload Exchange
@fields.Operation entity: [ Exchange_Uncommon_Operations ]
Field MUST NOT hit
@fields.UserType 4
  5
@fields.UserId NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)
  NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
ALERT_POLICY 200 alert

Attributes:

Alias Key
Username @fields.UserId
Operation @fields.Operation
IP @fields.ClientIPAddress
Organization @fields.OrganizationName
MailboxOwner @fields.MailboxOwnerUPN

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @fields.UserId
  Risks: ML_NEW_USER
NewOperation 20 days @fields.Operation
  Risks: ML_NEW_APP

History:

User Date
em*n@fluencysecurity.com 2021 Mar 11 04:21:33 EST
em*n@fluencysecurity.com 2021 Mar 11 14:26:59 EST
em*n@fluencysecurity.com 2021 Mar 17 14:11:20 EDT
em*n@fluencysecurity.com 2021 Mar 22 02:17:22 EDT
em*n@fluencysecurity.com 2021 Mar 22 21:02:48 EDT
ho*d@fluencysecurity.com 2021 Jun 16 14:01:54 EDT
ho*d@fluencysecurity.com 2021 Jun 16 14:04:33 EDT
ho*d@fluencysecurity.com 2021 Jun 16 14:50:58 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)