Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
28 lines (25 sloc) 796 Bytes
id: 957cb240-f45d-4491-9ba5-93430a3c08be
name: Rare and potentially high-risk Office operations
description: |
'Identifies Office operations that are typically rare and can provide capabilities useful to attackers.'
severity: Low
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- Collection
relevantTechniques:
- T1098
- T1114
query: |
let timeframe = 1d;
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation in~ ( "AddMailbox-Permission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomIdentity = ClientIP
You can’t perform that action at this time.