Valimail Enforce - Unusual Rate of Configuration Changes or User Additions

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query searches for a single user performing more than 3 configuration changes or user additions within a 1-hour window on any domain. An unusual burst of changes may indicate a compromised admin account, unauthorized automation, or insider threat.

Attribute	Value
Type	Analytic Rule
Solution	ValimailEnforce
ID	3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Impact, DefenseEvasion, PrivilegeEscalation
Techniques	T1562, T1531, T1078
Required Connectors	ValimailEnforce
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
ValimailEnforceEvents_CL	?	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to ValimailEnforce