Techniques
Sample rules
Suspicious Microsoft 365 Mail Access by ClientAppId
- source: elastic
- technicques:
- T1078
Description
Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
Detection logic
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success