From 7574295982eb7e67ee344f2884ea33c6d56db600 Mon Sep 17 00:00:00 2001 From: Murali Krishna Dev Uppugunduri <139563098+v-muuppugund@users.noreply.github.com> Date: Fri, 9 Feb 2024 05:25:26 +0530 Subject: [PATCH 1/3] Corrected index in query --- .../Microsoft 365/Analytic Rules/RareOfficeOperations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index 54d5f473aa5..a7ce111e702 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -22,7 +22,7 @@ query: | OfficeActivity | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox")) - | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0][0]) + | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0]) | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: - entityType: Account From 1c917a0d11b0a7644254d763929529588d18cbb2 Mon Sep 17 00:00:00 2001 From: Murali Krishna Dev Uppugunduri <139563098+v-muuppugund@users.noreply.github.com> Date: Fri, 9 Feb 2024 05:33:33 +0530 Subject: [PATCH 2/3] Version updated --- .../Microsoft 365/Analytic Rules/RareOfficeOperations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index a7ce111e702..f79dec8241f 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -39,5 +39,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.3 +version: 2.0.4 kind: Scheduled From bbd3e29c52245e3f645c70bc2aae927d69cdeb9d Mon Sep 17 00:00:00 2001 From: Murali Krishna Dev Uppugunduri <139563098+v-muuppugund@users.noreply.github.com> Date: Mon, 18 Mar 2024 16:39:38 +0530 Subject: [PATCH 3/3] Update RareOfficeOperations.yaml --- .../Microsoft 365/Analytic Rules/RareOfficeOperations.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index 7f7e8fd4363..0bb5d37e53c 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -41,5 +41,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.4 +version: 2.0.5 kind: Scheduled