security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#1741)

Browse Source 
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year
This commit is contained in:
Jonhnathan
2022-01-31 21:02:02 -03:00
committed by GitHub
parent 6e3f4b2824
commit 26d5bad914
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/05/17"
maturity = "production"
updated_date = "2021/10/11"
updated_date = "2022/01/31"
integration = "o365"
[rule]
@@ -28,7 +28,8 @@ type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
'''
[[rule.threat]]