You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The rule query on the elastic.co site is not the same as the one on github
I'm not sure if this is by design by microsoft; or a typo in the rule. The part with exclusion in the user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Should actually be: "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
My suggestion would change the query to:
event.dataset:o365.audit AND event.provider:Exchange AND event.action:Add-MailboxPermission AND
o365.audit.Parameters.AccessRights:(FullAccess OR SendAs OR SendOnBehalf) AND event.outcome:success AND NOT user.id: ("NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" OR "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)")
Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
https://www.elastic.co/guide/en/security/8.14/prebuilt-rule-0-14-2-o365-exchange-suspicious-mailbox-right-delegation.html
Description
2 issues:
My suggestion would change the query to:
event.dataset:o365.audit AND event.provider:Exchange AND event.action:Add-MailboxPermission AND
o365.audit.Parameters.AccessRights:(FullAccess OR SendAs OR SendOnBehalf) AND event.outcome:success AND NOT user.id: ("NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" OR "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)")
Example Data
-- {OrganizationName=gentplus.onmicrosoft.com, Parameters=[{Value=, Name=DomainController}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, Name=Identity}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/Discovery Management, Name=User}, {Value=FullAccess, Name=AccessRights}], RequestId=xxxxxxxx-93af-470a-d21d-xxxxxxxx, ResultStatus=True, ObjectId=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, UserKey=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ExternalAccess=true, Operation=Add-MailboxPermission, OrganizationId=xxxxxxx-1ebf-4335-ad13-xxxxxxxxxxx, AppAccessContext={UniqueTokenId=}, Workload=Exchange, OriginatingServer=VI1PR0402MB3566 (15.20.7633.033), AppId=, RecordType=1, Version=1, UserId=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ClientAppId=, CreationTime=2024-06-07T14:28:01, CorrelationID=, Id=xxxxxxxx-93af-470a-d21d-xxxxxxxx, UserType=3, AppPoolName=MSExchangeServiceHost}The text was updated successfully, but these errors were encountered: