IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Microsoft 365 Mail Access by ClientAppId
editSuspicious Microsoft 365 Mail Access by ClientAppId
editIdentifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-o365*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Microsoft 365
- Use Case: Configuration Audit
- Tactic: Initial Access
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editevent.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/