Skip to content

Commit

Permalink
Update o365_email_transport_rule_changed.yml
Browse files Browse the repository at this point in the history 
probably single tick closeness to start problem in SPL
  • Loading branch information
@nterl0k
nterl0k authored Jan 15, 2025
1 parent 46bc87e commit 61dcaf1
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions detections/cloud/o365_email_transport_rule_changed.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,7 @@ type: Anomaly
description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data.
data_source:
- O365
search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule"
| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId)
| eval object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id)
search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id)
| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation
| rename UserId as user, Operation as signature
| `security_content_ctime(firstTime)`
Expand Down Expand Up @@ -75,4 +73,4 @@ tests:
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log
source: o365
sourcetype: o365:management:activity
sourcetype: o365:management:activity

0 comments on commit 61dcaf1

Please sign in to comment.