Exchange admin activity M365-ExchangeAdmin

25 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-ExchangeAdmin rules matching the RecordType but no specific Operation.
Add-FederatedDomain	A federated domain was added to the Exchange Online organization, enabling single-sign-on with an external identity provider.
Add-RecipientPermission	A SendAs permission was granted on a recipient object, enabling impersonation of that recipient.
Disable-AntiPhishRule	An anti-phishing rule was disabled in Exchange Online Protection, reducing anti-phishing enforcement.
Disable-MalwareFilterRule	A malware filter rule was disabled, reducing malware scanning enforcement.
Disable-SafeAttachmentRule	A Safe Attachments policy rule was disabled in Microsoft Defender for Office 365, reducing detonation-sandbox coverage.
Disable-SafeLinksRule	A Safe Links policy rule was disabled in Microsoft Defender for Office 365, reducing URL-rewriting coverage.
Disable-TransportRule	A mail-flow transport rule was disabled, potentially allowing previously blocked or redirected mail to flow unimpeded.
New-AcceptedDomain	A new accepted domain was added to the Exchange Online organization.
New-ManagementRoleAssignment	A new RBAC management role assignment was created, granting administrative permissions in Exchange Online.
New-TransportRule	A new mail-flow transport rule was created; adversaries use transport rules to silently copy, redirect, or delete messages.
Remove-AcceptedDomain	An accepted domain was removed from the Exchange Online organization.
Remove-AntiPhishPolicy	An anti-phishing policy was deleted.
Remove-AntiPhishRule	An anti-phishing rule was deleted from Exchange Online Protection.
Remove-DlpPolicy	A Data Loss Prevention policy was deleted from Exchange Online.
Remove-FederatedDomain	A federated domain was removed from the Exchange Online organization.
Remove-MalwareFilterPolicy	A malware filter policy was deleted.
Remove-MalwareFilterRule	A malware filter rule was deleted.
Remove-TransportRule	A mail-flow transport rule was deleted.
Set-AcceptedDomain	An accepted domain's configuration was modified.
Set-AdminAuditLogConfig	The administrator audit log configuration was changed; adversaries disable audit logging to evade detection.
Set-DkimSigningConfig	The DKIM signing configuration for a domain was modified; disabling DKIM weakens email authentication.
Set-Mailbox	A mailbox configuration was modified; commonly abused to enable forwarding, audit bypass, or delegate access.
Set-MailboxAuditBypassAssociation	Mailbox audit logging was bypassed for a service account, suppressing audit events for that account's actions.
Set-TransportRule	An existing mail-flow transport rule was modified.

_catch_all: Exchange admin activity (catch-all)

RecordType: M365-ExchangeAdmin

Description

Catch-all for M365-ExchangeAdmin rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`UserType`	in	`Admin`	1 rule	kusto
`UserType`	in	`DcAdmin`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Office Policy Tampering source medium: Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add-FederatedDomain

RecordType: M365-ExchangeAdmin

Description

A federated domain was added to the Exchange Online organization, enabling single-sign-on with an external identity provider.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.↳ also matches New-AcceptedDomain, Remove-AcceptedDomain, Remove-FederatedDomain, Set-AcceptedDomain

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add-RecipientPermission

RecordType: M365-ExchangeAdmin

Description

A SendAs permission was granted on a recipient object, enabling impersonation of that recipient.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mailbox High-Risk Permission Delegated source low: Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.↳ also matches Set-Mailbox

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Disable-AntiPhishRule

RecordType: M365-ExchangeAdmin

Description

An anti-phishing rule was disabled in Exchange Online Protection, reducing anti-phishing enforcement.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Exchange`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Anti-Phish Rule Modification source medium: Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.↳ also matches Remove-AntiPhishRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Disable-MalwareFilterRule

RecordType: M365-ExchangeAdmin

Description

A malware filter rule was disabled, reducing malware scanning enforcement.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Malware Filter Rule Modified source medium: Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.↳ also matches Remove-MalwareFilterRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Disable-SafeAttachmentRule

RecordType: M365-ExchangeAdmin

Description

A Safe Attachments policy rule was disabled in Microsoft Defender for Office 365, reducing detonation-sandbox coverage.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Email Safe Attachment Rule Disabled source low: Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Disable-SafeLinksRule

RecordType: M365-ExchangeAdmin

Description

A Safe Links policy rule was disabled in Microsoft Defender for Office 365, reducing URL-rewriting coverage.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Email Safe Link Policy Disabled source medium: Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Disable-TransportRule

RecordType: M365-ExchangeAdmin

Description

A mail-flow transport rule was disabled, potentially allowing previously blocked or redirected mail to flow unimpeded.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mail Flow Transport Rule Modified source medium: Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.↳ also matches Remove-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

New-AcceptedDomain

RecordType: M365-ExchangeAdmin

Description

A new accepted domain was added to the Exchange Online organization.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.↳ also matches Add-FederatedDomain, Remove-AcceptedDomain, Remove-FederatedDomain, Set-AcceptedDomain

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

New-ManagementRoleAssignment

RecordType: M365-ExchangeAdmin

Description

A new RBAC management role assignment was created, granting administrative permissions in Exchange Online.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Operation`	in	`Set-TransportRule`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Management Group Role Assigned source medium: Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.

Kusto #

Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches Set-Mailbox, Set-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

New-TransportRule

RecordType: M365-ExchangeAdmin

Description

A new mail-flow transport rule was created; adversaries use transport rules to silently copy, redirect, or delete messages.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	in	`New-TransportRule`	2 rules	kusto
`Operation`	in	`Set-TransportRule`	2 rules	kusto
`Provider_Name`	eq	`Exchange`	2 rules	elastic
`Value`	is_not_null		2 rules	kusto
`m365::Workload`	eq	`Exchange`	2 rules	kusto
`EventType`	in	`New-InboxRule`	1 rule	elastic
`EventType`	in	`Set-InboxRule`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mail Flow Transport Rule Created source medium: Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.
M365 Exchange Inbox Forwarding Rule Created source medium: Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.↳ also matches Set-Mailbox, Set-TransportRule

Kusto #

Mail redirect via ExO transport rule source medium: Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.↳ also matches Set-TransportRule
Threat Essentials - Mail redirect via ExO transport rule source medium: Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.↳ also matches Set-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-AcceptedDomain

RecordType: M365-ExchangeAdmin

Description

An accepted domain was removed from the Exchange Online organization.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.↳ also matches Add-FederatedDomain, New-AcceptedDomain, Remove-FederatedDomain, Set-AcceptedDomain

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-AntiPhishPolicy

RecordType: M365-ExchangeAdmin

Description

An anti-phishing policy was deleted.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Exchange`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Anti-Phish Policy Deleted source medium: Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-AntiPhishRule

RecordType: M365-ExchangeAdmin

Description

An anti-phishing rule was deleted from Exchange Online Protection.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Anti-Phish Rule Modification source medium: Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.↳ also matches Disable-AntiPhishRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-DlpPolicy

RecordType: M365-ExchangeAdmin

Description

A Data Loss Prevention policy was deleted from Exchange Online.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

Deprecated - M365 Exchange DLP Policy Deleted source medium: Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-FederatedDomain

RecordType: M365-ExchangeAdmin

Description

A federated domain was removed from the Exchange Online organization.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.↳ also matches Add-FederatedDomain, New-AcceptedDomain, Remove-AcceptedDomain, Set-AcceptedDomain

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-MalwareFilterPolicy

RecordType: M365-ExchangeAdmin

Description

A malware filter policy was deleted.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Malware Filter Policy Deleted source medium: Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-MalwareFilterRule

RecordType: M365-ExchangeAdmin

Description

A malware filter rule was deleted.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Malware Filter Rule Modified source medium: Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.↳ also matches Disable-MalwareFilterRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove-TransportRule

RecordType: M365-ExchangeAdmin

Description

A mail-flow transport rule was deleted.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mail Flow Transport Rule Modified source medium: Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.↳ also matches Disable-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-AcceptedDomain

RecordType: M365-ExchangeAdmin

Description

An accepted domain's configuration was modified.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.↳ also matches Add-FederatedDomain, New-AcceptedDomain, Remove-AcceptedDomain, Remove-FederatedDomain

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-AdminAuditLogConfig

RecordType: M365-ExchangeAdmin

Description

The administrator audit log configuration was changed; adversaries disable audit logging to evade detection.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`UserType`	in	`Admin`	1 rule	kusto
`UserType`	in	`DcAdmin`	1 rule	kusto
`m365::Workload`	eq	`Exchange`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Exchange AuditLog Disabled source medium: Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.

YARA-L #

Office 365 logging is disabled source: Detect when the Unified Audit Log is disabled
Office 365 logging has been enabled source: Detect when the Unified Audit Log is enabled

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-DkimSigningConfig

RecordType: M365-ExchangeAdmin

Description

The DKIM signing configuration for a domain was modified; disabling DKIM weakens email authentication.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange DKIM Signing Configuration Disabled source medium: Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-Mailbox

RecordType: M365-ExchangeAdmin

Description

A mailbox configuration was modified; commonly abused to enable forwarding, audit bypass, or delegate access.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`Exchange`	2 rules	elastic
`EventType`	in	`New-InboxRule`	1 rule	elastic
`EventType`	in	`Set-InboxRule`	1 rule	elastic
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Operation`	in	`Set-TransportRule`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Inbox Forwarding Rule Created source medium: Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.↳ also matches New-TransportRule, Set-TransportRule
M365 Exchange Mailbox High-Risk Permission Delegated source low: Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.↳ also matches Add-RecipientPermission

Kusto #

Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches New-ManagementRoleAssignment, Set-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-MailboxAuditBypassAssociation

RecordType: M365-ExchangeAdmin

Description

Mailbox audit logging was bypassed for a service account, suppressing audit events for that account's actions.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Mailbox Audit Logging Bypass Added source medium: Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-TransportRule

RecordType: M365-ExchangeAdmin

Description

An existing mail-flow transport rule was modified.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ModifiedObjectResolvedName`	User-friendly name of the object modified by the cmdlet (logged when the cmdlet modifies an object).
`Parameters`	Name/value pairs of the parameters passed to the cmdlet.
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`ExternalAccess`	False when run by someone in your organization; True when run by datacenter personnel, a service account, or a delegated admin.
`OriginatingServer`	Name of the server from which the cmdlet was executed.
`OrganizationName`	The name of the tenant.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	in	`Set-TransportRule`	3 rules	kusto
`Operation`	in	`New-TransportRule`	2 rules	kusto
`Operation`	in	`Add-MailboxFolderPermission`	1 rule	kusto, splunk
`Operation`	in	`Add-MailboxPermission`	1 rule	kusto
`Operation`	in	`New-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`New-ManagementRoleAssignment`	1 rule	kusto
`Operation`	in	`Set-InboxRule`	1 rule	kusto, splunk
`Operation`	in	`Set-Mailbox`	1 rule	kusto
`Value`	is_not_null		2 rules	kusto
`m365::Workload`	eq	`Exchange`	2 rules	kusto
`EventType`	in	`New-InboxRule`	1 rule	elastic
`EventType`	in	`Set-InboxRule`	1 rule	elastic
`Provider_Name`	eq	`Exchange`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Inbox Forwarding Rule Created source medium: Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.↳ also matches New-TransportRule, Set-Mailbox

Kusto #

Mail redirect via ExO transport rule source medium: Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.↳ also matches New-TransportRule
Rare and potentially high-risk Office operations source low: Identifies Office operations that are typically rare and can provide capabilities useful to attackers.↳ also matches New-ManagementRoleAssignment, Set-Mailbox
Threat Essentials - Mail redirect via ExO transport rule source medium: Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.↳ also matches New-TransportRule

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)