Office Activity Detect Emails Readby Admins

//Detects users with global or exchange administrator roles who have accessed email items from mailboxes other than their own //Data connector required for this query - Office 365 //Data connector required for this query - Microsoft Sentinel UEBA let timeframe=30d; let adminusers= IdentityInfo | where TimeGenerated > ago(21d) | where AssignedRoles has_any ("Exchange Administrator", "Global Administrator") | summarize arg_max(TimeGenerated, *) by AccountUPN | project UserId=AccountUPN; OfficeActivity | where TimeGenerated > ago(timeframe) | where OfficeWorkload == "Exchange" | where Operation == "MailItemsAccessed" | where UserId in (adminusers) | where UserId != MailboxOwnerUPN | project AccessTime=TimeGenerated, UserId, MailboxOwnerUPN, Folders

Explanation

This query detects users with global or exchange administrator roles who have accessed email items from mailboxes other than their own. It uses data connectors for Office 365 and Microsoft Sentinel UEBA. The query looks at the IdentityInfo and OfficeActivity data to find users who have the specified roles and have accessed mail items in the Exchange workload. It then filters out cases where the user is the owner of the mailbox being accessed. The resulting output includes the access time, user ID, mailbox owner ID, and folders accessed.

Details

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoOfficeActivity

Keywords

Users,ExchangeAdministrator,GlobalAdministrator,Email,Mailboxes,DataConnector,Office365,MicrosoftSentinelUEBA,Timeframe,IdentityInfo,AccountUPN,OfficeActivity,OfficeWorkload,Operation,MailItemsAccessed,UserId,adminusers,MailboxOwnerUPN,Folders

Operators

has_anywheresummarizearg_maxproject

KQL Search