O365_Exchange_Add-MailboxPermission
ID: 100382
Description:
Add-MailboxPermission on an Exchange Mailbox - KLK
Repository: Fluency Group: Office365 Type: event
Default Status:
Enabled
| Tags: | |||
|---|---|---|---|
| O365 | Office | Exchange | Mailbox |
Selector:
Query:
Filters:
Standard:
| Field | MUST hit |
|---|---|
| @fields.Operation | Add-MailboxPermission |
| @fields.Workload | Exchange |
| Field | MUST NOT hit |
|---|---|
| @fields.UserId | NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost) |
Additional JSON:
function json_doc_filter (doc)
for i,v in ipairs(doc['@fields'].Parameters)
do
print(v.Name .. ": " .. v.Value)
if v.Name == "AccessRights" and v.Value == "FullAccess" then
return true
end
end
return false
end
return json_doc_filter
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | application activity |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_NORMAL | 100 | alert |
Attributes:
| Alias | Key |
|---|---|
| ObjectId | @fields.ObjectId |
| Operation | @fields.Operation |
| UserId | @fields.UserId |
| ISP | @fields._ip.isp |
| City | @fields._ip.city |
| Country | @fields._ip.country |
| Identity | @fields.ParametersFields.Identity |
| User | @fields.ParametersFields.User |
| AccessRights | @fields.ParametersFields.AccessRights |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewUser | 30 days | @fields.UserId |
| Risks: | ML_NEW_USER | |
| NewTarget | 30 days | @fields.ObjectId |
| Risks: | ML_NEW_USER |
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| MultipleMailboxes | 1 day | @fields.ObjectId | cardinality | gt 1 |
| Risks: | ALERT_POLICY |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Aug 11 16:28:09 EDT |
| ke*y@fluencysecurity.com | 2021 Sep 14 10:29:04 EDT |
| ke*y@fluencysecurity.com | 2021 Sep 14 10:42:13 EDT |
| ke*y@fluencysecurity.com | 2022 Feb 18 01:02:00 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)