Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VIP Mailbox manipulation

VIP Mailbox manipulation

Back
Id5170c3c4-b8c9-485c-910d-a21d965ee181
RulenameVIP Mailbox manipulation
DescriptionAlert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.
SeverityMedium
TacticsExfiltration
Persistence
Collection
TechniquesT1020
T1098
T1114
Required data connectorsESI-ExchangeAdminAuditLogEvents
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
Version1.2.0
Arm template5170c3c4-b8c9-485c-910d-a21d965ee181.json
Deploy To Azure
let VIPRestriction = "on";
ExchangeAdminAuditLogs
| where IsVIP or VIPRestriction =~ "off"
| where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
| extend Level = iif (Status == "Failure", "Medium", "High")

triggerOperator: gt
queryFrequency: 30m
requiredDataConnectors:
- connectorId: ESI-ExchangeAdminAuditLogEvents
  dataTypes:
  - Event
relevantTechniques:
- T1020
- T1098
- T1114
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetObject
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: TargetObject
  - identifier: ObjectGuid
    columnName: TargetObject
  - identifier: FullName
    columnName: TargetObject
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Caller
query: |
  let VIPRestriction = "on";
  ExchangeAdminAuditLogs
  | where IsVIP or VIPRestriction =~ "off"
  | where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
  | extend Level = iif (Status == "Failure", "Medium", "High")  
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: '{{CmdletName}} executed on {{TargetObject}}'
  alertSeverityColumnName: Level
  alertDescriptionFormat: Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
queryPeriod: 1h
name: VIP Mailbox manipulation
status: Available
kind: Scheduled
description: |
    'Alert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.'
id: 5170c3c4-b8c9-485c-910d-a21d965ee181
version: 1.2.0
tactics:
- Exfiltration
- Persistence
- Collection
severity: Medium