search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.52k stars 2.97k forks source link

'Multiple users email forwarded to same destination' alert has incomplete info, confusing users #8316

Closed randomstability closed 1 year ago

randomstability commented 1 year ago

Describe the issue The 'Multiple users email forwarded to same destination' (Office_MailForwarding.yaml) rule does not include the impacted mailbox, and hence the alert appears to insinuate that admin mailboxes are being modified to forward mail to another mailbox. The "altered mailbox(es)" are required information for this alert.

To Reproduce Steps to reproduce the behavior:

  1. Use the rule from Multiple users email forwarded to same destination
  2. Trigger the rule by having an O365 email admin modify 2 mailboxes to forward to the same email destination.
  3. In the triggered alert, notice you have no way of knowing which 2 mailboxes were modified, and that it is implied that the admin mailboxes are (incorrectly) the ones altered. Nowhere in the alert are the altered mailboxes mentioned, and the user is forced to try and locate the raw events to find the altered mailboxes.

Desired Solution The rule should present all the relevant data to ensure users are not confused by the information presented. It should include the 'Identity' parameter that is present in the source events and which appears to represent the "altered mailbox". If 'Identity' is not assured to be the proper value, then it is at least correct sometimes (all the time for us?).

Right now, the alert is the equivalent of 'a virus was found on a server", which is very unuseful.

Additional context Perhaps there are better fields/lookups to determine the impacted mailbox, but I'm just a very simple infosec guy, not an Exchange Admin. Hopefully, either MS or the community knows best how to include the required information.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

v-rbajaj commented 1 year ago

Hi @randomstability, thanks for flagging this. We are looking into this internally and will soon provide an update.

v-vdixit commented 1 year ago

Hi @randomstability we are working with the concerned team on this, will update you as soon as we hear back from them, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we are working on this solution packaging with latest updates in our packaging tool, the changes will be updated shortly, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we are working on this solution packaging with latest updates in our packaging tool, the changes will be updated shortly, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we have packaged this solution with latest updates in our packaging tool, will raise the PR by Tuesday, 18th July 2023, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we encountered some issue with the updated package while testing we are working on fixing them, will update by 21st July 2023, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we are working on resolving the issue in analytic rule will update you by Monday, 24th July 2023, thanks!

v-vdixit commented 1 year ago

Hi @randomstability we are still working on resolving the issue in analytic rule will update you by Wednesday, 26th July 2023, thanks!

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

v-rbajaj commented 1 year ago

Hi @randomstability, checking internally on this issue.

v-rbajaj commented 1 year ago

Hi @randomstability, checking internally on this issue.

v-rbajaj commented 1 year ago

Hi @randomstability, we will get back to you once there is an update.

v-rbajaj commented 1 year ago

Hi @randomstability, we will get back to you once there is an update.

v-rbajaj commented 1 year ago

Hi @randomstability, we have checked the rule and the rule seems to be correct. In the query, UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress) UserID shows the senders information and DestinationMailAddress shows the receipt mailbox address.

It captures the userid of the person sending the mails and the recipient address.

If you have further questions, feel free to re open this issue.

github-actions[bot] commented 1 year ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.