Forum Discussion
Microsoft 365 Defender BEC Hunting
Hi, I'm looking for information specifically about 365 Defender query examples regarding BEC compromises. We normally see during cases of BEC's that the actors will create new inbox rules to del...
Ok even better question.... where do you find detailed string values? I feel like that is obvious but i'm missing it.
Example query
CloudAppEvents | where Timestamp between(startTime .. endTime) | where ActionType == "New-InboxRule" | where ObjectType == "File" or "Folder" | where (RawEventData contains "delete")
If I wanted to change the value for the string "ActionType" what are the possible values? What are the possible values for "ObjectType" etc etc.
I've checked over MS query documentation, the schema reference and other MS forums without success. There are references to what the values might be but not a detailed list.
Examples:
(MS query doc and Schema reference)
| ActionType | string | Type of activity that triggered the event |
Any help would be much appreciated.
