Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation

You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

Add-MailboxPermission [-Identity] -AccessRights <MailboxRights[]> -User [-AutoMapping ] [-Confirm] [-Deny] [-DomainController ] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType ] [-WhatIf] []

So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.

EXAMPLE Add-MailboxPermission -Identity “Terry Adams” -User “Kevin Kelly” -AccessRights FullAccess -InheritanceType All

So I decided to go to the Elastic SIEM and see if I can query accessright and see if a event field will appear. And it returns o365.audit.Parameters.AccessRights, which is exactly what I was looking for

And I know the 3 Access Rights that I can choose to use are as follows:

  • FullAccess
  • SendAs
  • SendOnBehalf

RULE event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success




Trusted Veteran | Compassionate. Aspiring. Resourceful.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Working with AWS S3 Bucket

Weekly update #11 — Tech Updates

Faire Tech Talk: scaling mobile foundation

Chapter 12 Manage Real-Time Resources

Nec C++ Quiz — 0041

Kotlin Multiplatform —Firebase + MVVM

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Austin Songer

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

More from Medium

ASecureCloud is now on the AWS Marketplace


2022 Pricing, Market Demand, and Future of Event in Asia-Pacific

Blockchain Will Revolutionize Agriculture