Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VIP Mailbox manipulation

VIP Mailbox manipulation

Back
Id5170c3c4-b8c9-485c-910d-a21d965ee181
RulenameVIP Mailbox manipulation
DescriptionAlert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.
SeverityMedium
TacticsExfiltration
Persistence
Collection
TechniquesT1020
T1098
T1114
Required data connectorsESI-ExchangeAdminAuditLogEvents
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
Version1.2.0
Arm template5170c3c4-b8c9-485c-910d-a21d965ee181.json
Deploy To Azure
let VIPRestriction = "on";
ExchangeAdminAuditLogs
| where IsVIP or VIPRestriction =~ "off"
| where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
| extend Level = iif (Status == "Failure", "Medium", "High")

queryPeriod: 1h
query: |
  let VIPRestriction = "on";
  ExchangeAdminAuditLogs
  | where IsVIP or VIPRestriction =~ "off"
  | where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
  | extend Level = iif (Status == "Failure", "Medium", "High")  
name: VIP Mailbox manipulation
entityMappings:
- fieldMappings:
  - columnName: TargetObject
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: TargetObject
    identifier: Sid
  - columnName: TargetObject
    identifier: ObjectGuid
  - columnName: TargetObject
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Caller
    identifier: Name
  entityType: Account
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
alertDetailsOverride:
  alertDisplayNameFormat: '{{CmdletName}} executed on {{TargetObject}}'
  alertDescriptionFormat: Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}
  alertSeverityColumnName: Level
requiredDataConnectors:
- connectorId: ESI-ExchangeAdminAuditLogEvents
  dataTypes:
  - Event
description: |
    'Alert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.'
kind: Scheduled
version: 1.2.0
status: Available
severity: Medium
relevantTechniques:
- T1020
- T1098
- T1114
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
- Persistence
- Collection
id: 5170c3c4-b8c9-485c-910d-a21d965ee181