New Location Sign in with Mail forwarding activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query helps detect new Microsoft Entra ID sign in from a new location correlating with Office Activity data highlighting cases where user mails are being forwarded and shows if it is being forwarded to external domains as well.

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	a689a21c-9369-47e6-b5fa-e1f65045c1cf
Tactics	Collection, Exfiltration, InitialAccess
Techniques	T1114, T1020, T1078
Required Connectors	Office365, AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
OfficeActivity	✓	✗	?
SigninLogs	✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID

Solutions: Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries