Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation
You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.
https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps
Add-MailboxPermission
[-Identity] <MailboxIdParameter>
-AccessRights <MailboxRights[]>
-User <SecurityPrincipalIdParameter>
[-AutoMapping <Boolean>]
[-Confirm]
[-Deny]
[-DomainController <Fqdn>]
[-GroupMailbox]
[-IgnoreDefaultScope]
[-InheritanceType <ActiveDirectorySecurityInheritance>]
[-WhatIf]
[<CommonParameters>]
So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.EXAMPLE
Add-MailboxPermission -Identity "Terry Adams" -User "Kevin Kelly" -AccessRights FullAccess -InheritanceType All
So I decided to go to the Elastic SIEM and see if I can query accessright and see if a event field will appear.
And it returns o365.audit.Parameters.AccessRights, which is exactly what I was looking for
And I know the 3 Access Rights that I can choose to use are as follows:
FullAccessSendAsSendOnBehalf
RULE
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success
