Skip to content

Commit 02c5a24

Browse files
nterl0knterl0k
authored
Update o365_email_transport_rule_changed.yml
1 parent 977c678 commit 02c5a24

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

detections/cloud/o365_email_transport_rule_changed.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,15 @@ status: production
77
type: Anomaly
88
description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data.
99
data_source:
10-
- O365
11-
search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule"
12-
| rename Parameters{}.* as Parameters_*
13-
| eval object_name = case(Parameters_Name=="Name",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Name$")),true(),ObjectId), object_id = case(Parameters_Name=="Identity",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Identity$")),true(),Id)
14-
| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation
15-
| rename UserId as user, Operation as signature
16-
| `security_content_ctime(firstTime)`
17-
| `security_content_ctime(lastTime)`
18-
| `o365_email_transport_rule_changed_filter`'
10+
- Office 365 Universal Audit Log
11+
search: |-
12+
`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule"
13+
| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id)
14+
| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation
15+
| rename UserId as user, Operation as signature
16+
| `security_content_ctime(firstTime)`
17+
| `security_content_ctime(lastTime)`
18+
| `o365_email_transport_rule_changed_filter`
1919
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
2020
known_false_positives: Legitimate administrative changes for business needs.
2121
references:

0 commit comments

Comments
 (0)