Query Details
Office Activity Office Policytampering
Query
OfficeActivity
| where Operation has_any ("Remove", "Disable") and Operation matches regex @"(?i)AntiPhish|SafeAttachment|SafeLinks|Dlp|Audit(?-i)"
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| project
TimeGenerated,
OfficeWorkload,
RecordType,
UserType,
UserId,
IPAddress = tostring(ClientIPValues[0]),
Operation,
ResultStatus,
Parameters
Explanation
This query is looking at office activity data. It's specifically searching for operations that include either "Remove" or "Disable" and match certain keywords related to security features (AntiPhish, SafeAttachment, SafeLinks, Dlp, Audit). It's then extracting IP address and port information from the ClientIP field. The final output of the query will show the time the activity was generated, the office workload, record type, user type, user ID, IP address, operation, result status, and parameters.
Details
Jose Sebastián Canós
Released: January 3, 2023
Tables
OfficeActivity
Keywords
OfficeActivity,Operation,AntiPhish,SafeAttachment,SafeLinks,Dlp,Audit,ClientIPValues,IPAddress,Port,TimeGenerated,OfficeWorkload,RecordType,UserType,UserId,ResultStatus,Parameters
Operators
wherehas_anymatchesregexextendextract_alldynamicprojecttostring