Update HostExportingMailboxAndRemovingExport.yaml
Adding Event filter in that was missing
This commit is contained in:
Shain
GitHub
Родитель
e2773f9281
Коммит
0bab07aed0
|
|
@ -21,10 +21,12 @@ query: |
|
||||||
// Adjust the timeframe to change the window events need to occur within to alert
|
// Adjust the timeframe to change the window events need to occur within to alert
|
||||||
let timeframe = 1h;
|
let timeframe = 1h;
|
||||||
SecurityEvent
|
SecurityEvent
|
||||||
|
| where EventID == 4688
|
||||||
| where Process in~ ("powershell.exe", "cmd.exe")
|
| where Process in~ ("powershell.exe", "cmd.exe")
|
||||||
| where CommandLine contains 'New-MailboxExportRequest'
|
| where CommandLine contains 'New-MailboxExportRequest'
|
||||||
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName
|
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName
|
||||||
| join kind=inner (SecurityEvent
|
| join kind=inner (SecurityEvent
|
||||||
|
| where EventID == 4688
|
||||||
| where Process in~ ("powershell.exe", "cmd.exe")
|
| where Process in~ ("powershell.exe", "cmd.exe")
|
||||||
| where CommandLine contains 'Remove-MailboxExportRequest'
|
| where CommandLine contains 'Remove-MailboxExportRequest'
|
||||||
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName
|
| summarize by Computer, timekey = bin(TimeGenerated, timeframe), CommandLine, SubjectUserName) on Computer, timekey, SubjectUserName
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче