Microsoft 365 Anomalous Amount of Deleted Emails
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.
Strategy
Monitor Microsoft 365 Exchange audit logs to look for events with an @evt.name
value of HardDelete
, where the @Folder.Path
is the inbox (*Inbox*
).
Triage and response
- Determine if the user
{{@usr.id}}
intended to delete the observed emails. - If
{{@usr.id}}
is not responsible for the email deletions, investigate {{@usr.id}}
for anomalous activity. If necessary, initiate your company’s incident response (IR) process.