Closed randomstability closed 1 year ago
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @randomstability, thanks for flagging this. We are looking into this internally and will soon provide an update.
Hi @randomstability we are working with the concerned team on this, will update you as soon as we hear back from them, thanks!
Hi @randomstability we are working on this solution packaging with latest updates in our packaging tool, the changes will be updated shortly, thanks!
Hi @randomstability we are working on this solution packaging with latest updates in our packaging tool, the changes will be updated shortly, thanks!
Hi @randomstability we have packaged this solution with latest updates in our packaging tool, will raise the PR by Tuesday, 18th July 2023, thanks!
Hi @randomstability we encountered some issue with the updated package while testing we are working on fixing them, will update by 21st July 2023, thanks!
Hi @randomstability we are working on resolving the issue in analytic rule will update you by Monday, 24th July 2023, thanks!
Hi @randomstability we are still working on resolving the issue in analytic rule will update you by Wednesday, 26th July 2023, thanks!
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @randomstability, checking internally on this issue.
Hi @randomstability, checking internally on this issue.
Hi @randomstability, we will get back to you once there is an update.
Hi @randomstability, we will get back to you once there is an update.
Hi @randomstability, we have checked the rule and the rule seems to be correct.
In the query, UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress)
UserID
shows the senders information and DestinationMailAddress
shows the receipt mailbox address.
It captures the userid of the person sending the mails and the recipient address.
If you have further questions, feel free to re open this issue.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Describe the issue The 'Multiple users email forwarded to same destination' (Office_MailForwarding.yaml) rule does not include the impacted mailbox, and hence the alert appears to insinuate that admin mailboxes are being modified to forward mail to another mailbox. The "altered mailbox(es)" are required information for this alert.
To Reproduce Steps to reproduce the behavior:
Desired Solution The rule should present all the relevant data to ensure users are not confused by the information presented. It should include the 'Identity' parameter that is present in the source events and which appears to represent the "altered mailbox". If 'Identity' is not assured to be the proper value, then it is at least correct sometimes (all the time for us?).
Right now, the alert is the equivalent of 'a virus was found on a server", which is very unuseful.
Additional context Perhaps there are better fields/lookups to determine the impacted mailbox, but I'm just a very simple infosec guy, not an Exchange Admin. Hopefully, either MS or the community knows best how to include the required information.