LoFP LoFP / t1114

t1114

TitleTags
administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. these attempts will be detected by the search.
administrators may create custom email routes in google workspace based on organizational policies, administrative preference or for security purposes regarding spam.
administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. filter as needed.
compliance content searche exports may be executed for legitimate purposes, filter as needed.
compliance content searches may be executed for legitimate purposes, filter as needed.
email forwarding may be configured for legitimate purposes, filter as needed.
exporting a pst can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of pst content, it must be monitored.
forwarding mail flow rules may be created for legitimate reasons, filter as needed.
go utilities that use staaldraad awesome ntlm library
legitamate access by security administators for incident response measures.
legitimate exchange system administration activity.
pst export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
the false-positive rate will vary based on how you set the deviation_threshold and data_samples values. our recommendation is to adjust these values based on your network traffic to and from your email servers.
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.
users and administrators can create inbox rules for legitimate purposes. verify if it complies with the company policy and done with the user's consent. exceptions can be added to this rule to filter expected behavior.
users emailing for legitimate business purposes that appear suspicious.
users may create email forwarding rules for legitimate purposes. filter as needed.
while there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. investigate and filter as needed.