Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VIP Mailbox manipulation

VIP Mailbox manipulation

Back
Id5170c3c4-b8c9-485c-910d-a21d965ee181
RulenameVIP Mailbox manipulation
DescriptionAlert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.
SeverityMedium
TacticsExfiltration
Persistence
Collection
TechniquesT1020
T1098
T1114
Required data connectorsESI-ExchangeAdminAuditLogEvents
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
Version1.2.0
Arm template5170c3c4-b8c9-485c-910d-a21d965ee181.json
Deploy To Azure
let VIPRestriction = "on";
ExchangeAdminAuditLogs
| where IsVIP or VIPRestriction =~ "off"
| where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
| extend Level = iif (Status == "Failure", "Medium", "High")

id: 5170c3c4-b8c9-485c-910d-a21d965ee181
severity: Medium
queryFrequency: 30m
triggerThreshold: 0
description: |
    'Alert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.'
version: 1.2.0
query: |
  let VIPRestriction = "on";
  ExchangeAdminAuditLogs
  | where IsVIP or VIPRestriction =~ "off"
  | where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
  | extend Level = iif (Status == "Failure", "Medium", "High")  
name: VIP Mailbox manipulation
queryPeriod: 1h
triggerOperator: gt
requiredDataConnectors:
- connectorId: ESI-ExchangeAdminAuditLogEvents
  dataTypes:
  - Event
status: Available
tactics:
- Exfiltration
- Persistence
- Collection
relevantTechniques:
- T1020
- T1098
- T1114
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: '{{CmdletName}} executed on {{TargetObject}}'
  alertSeverityColumnName: Level
  alertDescriptionFormat: Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetObject
    identifier: MailboxPrimaryAddress
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetObject
    identifier: Sid
  - columnName: TargetObject
    identifier: ObjectGuid
  - columnName: TargetObject
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: Caller
    identifier: Name