Link Search Menu Expand Document

O365_Exchange_Add-MailboxPermission

ID: 100382

Description:

Add-MailboxPermission on an Exchange Mailbox - KLK

Repository: Fluency Group: Office365 Type: event

Default Status:

Enabled

Tags:      
O365 Office Exchange Mailbox
       
       

Selector:

Query:

Filters:

Standard:

Field MUST hit
@fields.Operation Add-MailboxPermission
@fields.Workload Exchange
Field MUST NOT hit
@fields.UserId NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)

Additional JSON:

function json_doc_filter (doc)
   for i,v in ipairs(doc['@fields'].Parameters)
   do
      
      print(v.Name .. ": " .. v.Value)
      if v.Name == "AccessRights" and v.Value == "FullAccess" then
         return true
      end
   end
   return false
end
return json_doc_filter

Behavior Rule:

Key Type Behavior Category
@fields.UserId username application activity

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
ObjectId @fields.ObjectId
Operation @fields.Operation
UserId @fields.UserId
ISP @fields._ip.isp
City @fields._ip.city
Country @fields._ip.country
Identity @fields.ParametersFields.Identity
User @fields.ParametersFields.User
AccessRights @fields.ParametersFields.AccessRights

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @fields.UserId
  Risks: ML_NEW_USER
NewTarget 10 days @fields.ObjectId
  Risks: ML_NEW_USER

Aggregation:

Name Window Field AggType Match
MultipleMailboxes 1 day @fields.ObjectId cardinality gt 1
  Risks: ALERT_POLICY    

History:

User Date
ho*d@fluencysecurity.com 2021 Aug 11 16:28:09 EDT
ke*y@fluencysecurity.com 2021 Sep 14 10:29:04 EDT
ke*y@fluencysecurity.com 2021 Sep 14 10:42:13 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)