Rules Contributing to Microsoft 365 Rare Operations Alert
The following rules are used to identify rare and suspicious Microsoft 365 mailbox operations. Any one or more of these will trigger the Microsoft 365 Rare Operations Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Rare and Potentially High-Risk Office365 Operations |
Identifies Office365 operations that are typically rare and can provide capabilities useful to attackers. More details
Rule IDQuery{'selection1': {'Operation': ['add-mailboxfolderpermission', 'new-managementroleassignment', 'new-inboxrule', 'set-inboxrule', 'set-transportrule']}, 'selection2': {'Operation': ['add-mailboxpermission', 'set-mailbox']}, 'selection3': {'UserId|contains': ['nt authority\\system (microsoft.exchange.servicehost)', 'nt authority\\system (microsoft.exchange.adminapi.netcore)', 'nt authority\\system (w3wp)', 'devilfish-applicationaccount']}, 'condition': 'selection1 or (selection2 and not selection3)'} Log SourceStellar Cyber Microsoft 365 configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|
