Link Search Menu Expand Document

O365_User_Updated

ID: 100263

Description:

An O365 user’s info has been updated

Repository: Fluency Group: Office365 Type: event

Default Status:

Enabled

Tags:
O365
 

Selector:

Query:

Filters:

Standard:

Field MUST hit
@sender office365
@fields.Operation Update user.
@fields.Workload AzureActiveDirectory
Field MUST NOT hit
@fields.UserType 4
  5
@fields.UserId fim_password_service
  fim_password_service@support.onmicrosoft.com

Additional JSON:

function json_doc_filter (doc)
   UserId = doc['@fields'].UserId
   if UserId == nil then
      return false
   end
   print("UserId: "..UserId)

   -- exempt the sync services
   if starts_with(UserId, "Sync_") then
      return false
   end

   ObjectId = doc['@fields'].ObjectId
   if ObjectId == nil then
      return false
   end
   print("ObjectId: "..ObjectId)

   -- user is editing own details
   if (UserId == ObjectId) then
      return false
   end
   
   return true

end

function starts_with(str, start)
   return str:sub(1, #start) == start
end

return json_doc_filter

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
ALERT_POLICY 200 alert

Attributes:

Alias Key
Username @fields.UserId
Workload @fields.Workload
ResultStatus @fields.ResultStatus
TargetUser @fields.ObjectId

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 30 days @fields.UserId
  Risks: ML_NEW_USER

History:

User Date
em*n@fluencysecurity.com 2021 Mar 6 03:43:54 EST
em*n@fluencysecurity.com 2021 Mar 17 14:15:34 EDT
em*n@fluencysecurity.com 2021 Mar 18 15:09:10 EDT
em*n@fluencysecurity.com 2021 Mar 18 15:22:20 EDT
em*n@fluencysecurity.com 2021 Mar 18 15:25:22 EDT
em*n@fluencysecurity.com 2021 Apr 8 13:23:33 EDT
ke*y@fluencysecurity.com 2021 May 21 02:11:14 EDT
ho*d@fluencysecurity.com 2021 Jun 24 15:42:00 EDT
em*n@fluencysecurity.com 2021 Jul 6 23:31:19 EDT
ho*d@fluencysecurity.com 2021 Jul 7 08:56:01 EDT
ke*y@fluencysecurity.com 2022 Feb 18 01:15:13 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)