Anomaly of MailItemAccess by Other Users Mailbox [Nobelium]

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query looks for users accessing multiple other users' mailboxes, or accessing multiple folders in another user's mailbox. This query is inspired by an Azure Sentinel detection. Reference - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/AnomolousUserAccessingOtherUsersMailbox.yaml

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	6a927d9a-66c3-4491-815d-a31d4bbb2948
Tactics	Collection
Required Connectors	MicrosoftThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
CloudAppEvents	ActionType == "MailItemsAccessed"	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries