Link Search Menu Expand Document

Exchange_Uncommon_Operations

ID: 100384

Description:

A user performed an uncommon or administrative Exchange operation

Repository: Group: Office365ES Type: event

Default Status:

Enabled

Tags:    
Office365 M365 O365
     

Selector:

Query:

Filters:

Field MUST hit
o365.audit.Workload Exchange
o365.audit.Operation entity: [ Exchange_Uncommon_Operations ]
Field MUST NOT hit
o365.audit.UserType 4
  5
o365.audit.UserId NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)
  NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)

Behavior Rule:

Key Type Behavior Category
o365.audit.UserId username application activity

Risks:

Risks Base Score Dimension
ALERT_POLICY 200 alert

Attributes:

Alias Key
Username o365.audit.UserId
Operation o365.audit.Operation
IP o365.audit.ClientIPAddress
Organization o365.audit.OrganizationName
MailboxOwner o365.audit.MailboxOwnerUPN

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days o365.audit.UserId
  Risks: ML_NEW_USER
NewOperation 20 days o365.audit.Operation
  Risks: ML_NEW_APP

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)