Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations

Back
Id433c254d-4b84-46f7-99ec-9dfefb5f6a7b
RulenameGSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations
DescriptionIdentifies Office operations that are typically rare and can provide capabilities useful to attackers.
SeverityLow
TacticsPersistence
Collection
TechniquesT1098
T1114
Required data connectorsAzureActiveDirectory
Office365
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml
Version2.0.7
Arm template433c254d-4b84-46f7-99ec-9dfefb5f6a7b.json
Deploy To Azure
// OfficeActivity Query
let OfficeEvents = OfficeActivity
    | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
    and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') 
         and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
    | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0])
    | extend AccountName = tostring(split(UserId, "@")[0]), 
             AccountUPNSuffix = tostring(split(UserId, "@")[1]);

// EnrichedMicrosoft365AuditLogs Query
let EnrichedEvents = EnrichedMicrosoft365AuditLogs
    | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
    and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') 
         and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
    | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIp)[0])
    | extend AccountName = tostring(split(UserId, "@")[0]), 
             AccountUPNSuffix = tostring(split(UserId, "@")[1]);

// Combine and Deduplicate Office and Enriched Logs
let CombinedEvents = OfficeEvents
    | union EnrichedEvents
    | summarize arg_min(TimeGenerated, *) by Operation, UserId, ClientIPOnly;

// Final Output
CombinedEvents
    | project TimeGenerated, Operation, UserId, AccountName, AccountUPNSuffix, ClientIPOnly
kind: Scheduled
relevantTechniques:
- T1098
- T1114
description: |
    Identifies Office operations that are typically rare and can provide capabilities useful to attackers.
queryPeriod: 1d
queryFrequency: 1d
tactics:
- Persistence
- Collection
name: GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - EnrichedMicrosoft365AuditLogs
- connectorId: Office365
  dataTypes:
  - OfficeActivity
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserId
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIPOnly
triggerThreshold: 0
version: 2.0.7
id: 433c254d-4b84-46f7-99ec-9dfefb5f6a7b
query: |
  // OfficeActivity Query
  let OfficeEvents = OfficeActivity
      | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
      and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') 
           and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
      | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0])
      | extend AccountName = tostring(split(UserId, "@")[0]), 
               AccountUPNSuffix = tostring(split(UserId, "@")[1]);

  // EnrichedMicrosoft365AuditLogs Query
  let EnrichedEvents = EnrichedMicrosoft365AuditLogs
      | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
      and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') 
           and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
      | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIp)[0])
      | extend AccountName = tostring(split(UserId, "@")[0]), 
               AccountUPNSuffix = tostring(split(UserId, "@")[1]);

  // Combine and Deduplicate Office and Enriched Logs
  let CombinedEvents = OfficeEvents
      | union EnrichedEvents
      | summarize arg_min(TimeGenerated, *) by Operation, UserId, ClientIPOnly;

  // Final Output
  CombinedEvents
      | project TimeGenerated, Operation, UserId, AccountName, AccountUPNSuffix, ClientIPOnly  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml
severity: Low
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]",
      "properties": {
        "alertRuleTemplateName": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b",
        "customDetails": null,
        "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\n",
        "displayName": "GSA Enriched Office 365 - Rare and Potentially High-Risk Office Operations",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserId",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIPOnly",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml",
        "query": "// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n    | where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\", \"New-InboxRule\", \"Set-InboxRule\", \"Set-TransportRule\")\n    and not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\\\SYSTEM (w3wp)', 'devilfish-applicationaccount') \n         and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n    | extend ClientIPOnly = tostring(extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?', dynamic([\"IPAddress\"]), ClientIP)[0])\n    | extend AccountName = tostring(split(UserId, \"@\")[0]), \n             AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n\n// EnrichedMicrosoft365AuditLogs Query\nlet EnrichedEvents = EnrichedMicrosoft365AuditLogs\n    | where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\", \"New-InboxRule\", \"Set-InboxRule\", \"Set-TransportRule\")\n    and not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\\\SYSTEM (w3wp)', 'devilfish-applicationaccount') \n         and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n    | extend ClientIPOnly = tostring(extract_all(@'\\[?(::ffff:)?(?P<IPAddress>(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?', dynamic([\"IPAddress\"]), ClientIp)[0])\n    | extend AccountName = tostring(split(UserId, \"@\")[0]), \n             AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n\n// Combine and Deduplicate Office and Enriched Logs\nlet CombinedEvents = OfficeEvents\n    | union EnrichedEvents\n    | summarize arg_min(TimeGenerated, *) by Operation, UserId, ClientIPOnly;\n\n// Final Output\nCombinedEvents\n    | project TimeGenerated, Operation, UserId, AccountName, AccountUPNSuffix, ClientIPOnly\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Persistence"
        ],
        "techniques": [
          "T1098",
          "T1114"
        ],
        "templateVersion": "2.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}