Skip to content

Instantly share code, notes, and snippets.

@Castaldio86
Created October 8, 2020 21:38
Show Gist options
  • Save Castaldio86/e621550e436e0b1f09722cc0e979e2f6 to your computer and use it in GitHub Desktop.
Save Castaldio86/e621550e436e0b1f09722cc0e979e2f6 to your computer and use it in GitHub Desktop.
let Lookback_Long = ago(14d);
let Lookback_Short = ago(1h);
let AllSignins =
SigninLogs
| where TimeGenerated > Lookback_Long
| where ResultType == "0"
;
let Signins =
AllSignins
| summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location
;
let IPUsage =
AllSignins
| summarize UniqueUsers = dcount(UserPrincipalName) by IPAddress
;
let UserLocations =
AllSignins
| summarize Locations = tostring(make_set(Location)) by UserPrincipalName
;
let OutlookRuleCreation =
OfficeActivity
| where TimeGenerated > Lookback_Short
| where Operation == "UpdateInboxRules"
| extend ClientIP = iif(isnotempty(ClientIP), ClientIP, ClientIP_)
| parse kind=regex ClientIP with "[[]" IPAddress1 "]:" Port1
| parse kind=regex ClientIP with IPAddress2 ":" Port2
| extend IPAddress = iif(isnotempty(IPAddress1), IPAddress1, IPAddress2)
| extend Port = iif(isnotempty(Port1), Port1, Port2)
| distinct TimeGenerated, IPAddress, UserId
;
OutlookRuleCreation
| join kind=inner Signins on $left.UserId == $right.UserPrincipalName, IPAddress
| where (TimeGenerated - FirstSeen) between (0min..7day)
| join kind=inner IPUsage on IPAddress
| join kind=inner UserLocations on $left.UserId == $right.UserPrincipalName
| summarize by bin(TimeGenerated, 1d), UserId, IPAddress, FirstSeen, LastObserved, Location, Locations, Count, UniqueUsers
@Castaldio86
Copy link
Author

For more information about this query read my blogpost: https://www.kustoking.com/hunting-for-suspicious-external-forwards-in-office365/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment