Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation

Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation

You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps

Add-MailboxPermission
   [-Identity] <MailboxIdParameter>
   -AccessRights <MailboxRights[]>
   -User <SecurityPrincipalIdParameter>
   [-AutoMapping <Boolean>]
   [-Confirm]
   [-Deny]
   [-DomainController <Fqdn>]
   [-GroupMailbox]
   [-IgnoreDefaultScope]
   [-InheritanceType <ActiveDirectorySecurityInheritance>]
   [-WhatIf]
   [<CommonParameters>]


So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.

EXAMPLE

Add-MailboxPermission -Identity "Terry Adams" -User "Kevin Kelly" -AccessRights FullAccess -InheritanceType All
So I decided to go to the Elastic SIEM and see if I can query accessright and see if a event field will appear.

And it returns o365.audit.Parameters.AccessRights, which is exactly what I was looking for

And I know the 3 Access Rights that I can choose to use are as follows:

  • FullAccess
  • SendAs
  • SendOnBehalf


RULE

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.