security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Austin Songer
2021-08-23 22:02:47 +00:00
parent 4ab9519546
commit 1fa32fcd1a
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
+6 -6
View File
@@ -1,14 +1,14 @@
title: Microsoft 365 - Suspicious inbox forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: experimental
description: Detects when a Microsoft Cloud App Security reported
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
author: Austin Songer @austinsonger
date: 2021/08/22
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category:
category: ThreatManagement
service: m365
detection:
selection:
@@ -17,8 +17,8 @@ detection:
status: success
condition: selection
falsepositives:
-
level: medium
- Unknown
level: low
tags:
- attack.initial_access
-
- attack.exfiltration
- attack.t1020