Query Details
Mail Items Accessed Defense
Query
// MailItemsAccessed Defense
// https://www.linkedin.com/posts/0x534c_microsoft365-exchangeonline-defenderxdr-activity-7183335339061620738-ztfq/
// Simple & effective custom DefenderXDR hourly rule to detect threat actors accessing Exchange mailboxes via MailItemsAccessed log entry and marked user as compromised.
CloudAppEvents
| where Timestamp > ago(1h)
| where IPTags has_any ("Brute force attacker",
"Password spray attacker", "Malicious", "Tor")
| where ActionType == "MailItemsAccessed"
Explanation
This query is designed to detect potential threat actors accessing Exchange mailboxes. Here's a simple breakdown:
- Data Source: The query looks at
CloudAppEvents, which logs various activities in cloud applications. - Time Frame: It filters events that occurred within the last hour (
Timestamp > ago(1h)). - IP Tags: It checks if the IP address associated with the event has any of the following tags: "Brute force attacker", "Password spray attacker", "Malicious", or "Tor".
- Action Type: It specifically looks for events where the action type is
MailItemsAccessed, indicating that someone accessed mail items.
In summary, this query identifies recent instances where potentially malicious actors accessed mail items in Exchange mailboxes, based on specific IP tags and action types.
Details
Steven Lim
Released: August 2, 2024
Tables
CloudAppEvents
Keywords
CloudAppEvents
Operators
agohas_anywhere==