Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation
You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.
Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType ] [-WhatIf] []
So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.
EXAMPLE Add-MailboxPermission -Identity “Terry Adams” -User “Kevin Kelly” -AccessRights FullAccess -InheritanceType All
So I decided to go to the Elastic SIEM and see if I can query accessright and see if a event field will appear. And it returns o365.audit.Parameters.AccessRights, which is exactly what I was looking for
And I know the 3 Access Rights that I can choose to use are as follows:
- FullAccess
- SendAs
- SendOnBehalf
RULE event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success
