Microsoft 365 Defender BEC Hunting

Copper Contributor

Hi, 

 

I'm looking for information specifically about 365 Defender query examples regarding BEC compromises. We normally see during cases of BEC's that the actors will create new inbox rules to delete emails, delete sent emails, and setup forwarding. 

 

I can easily create a rule to look for new "inbox-rule" creations however we want to decrease noise. I can't seem to find any examples of these queries. 

 

Example: A query that looks for a new rule that deletes all incoming mail. 

 

I'm still in the process of learning the KQL language but just wanted to see if anyone had any additional information on what specific functions I need for the above example. 

 

Best, 

1 Reply

Ok even better question.... where do you find detailed string values? I feel like that is obvious but i'm missing it.

 

Example query

CloudAppEvents
| where Timestamp between(startTime .. endTime)
| where ActionType == "New-InboxRule"
| where ObjectType == "File" or "Folder" 
| where (RawEventData contains "delete")

 If I wanted to change the value for the string "ActionType" what are the possible values? What are the possible values for "ObjectType" etc etc. 

I've checked over MS query documentation, the schema reference and other MS forums without success. There are references to what the values might be but not a detailed list. 

Examples: 
(MS query doc and Schema reference)

ActionTypestringType of activity that triggered the event


Any help would be much appreciated.