Exchange_Uncommon_Operations
ID: 100200
Description:
A user performed an uncommon or administrative Exchange operation
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: | ||
|---|---|---|
| Office365 | M365 | O365 |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @fields.Workload | Exchange |
| @fields.Operation | entity: [ Exchange_Uncommon_Operations ] |
| Field | MUST NOT hit |
|---|---|
| @fields.UserType | 4 |
| 5 | |
| @fields.UserId | NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost) |
| NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) | |
| s-1-5-18 | |
| S-1-5-18 |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_POLICY | 200 | alert |
Attributes:
| Alias | Key |
|---|---|
| Username | @fields.UserId |
| Operation | @fields.Operation |
| IP | @fields.ClientIPAddress |
| Organization | @fields.OrganizationName |
| MailboxOwner | @fields.MailboxOwnerUPN |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewUser | 30 days | @fields.UserId |
| Risks: | ML_NEW_USER | |
| NewOperation | 30 days | @fields.Operation |
| Risks: | ML_NEW_APP |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 11 04:21:33 EST |
| em*n@fluencysecurity.com | 2021 Mar 11 14:26:59 EST |
| em*n@fluencysecurity.com | 2021 Mar 17 14:11:20 EDT |
| em*n@fluencysecurity.com | 2021 Mar 22 02:17:22 EDT |
| em*n@fluencysecurity.com | 2021 Mar 22 21:02:48 EDT |
| ho*d@fluencysecurity.com | 2021 Jun 16 14:01:54 EDT |
| ho*d@fluencysecurity.com | 2021 Jun 16 14:04:33 EDT |
| ho*d@fluencysecurity.com | 2021 Jun 16 14:50:58 EDT |
| em*n@fluencysecurity.com | 2021 Dec 15 13:05:50 EST |
| em*n@fluencysecurity.com | 2021 Dec 15 13:07:01 EST |
| ke*y@fluencysecurity.com | 2022 Feb 18 00:54:37 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)