[Bug] O365 Exchange Suspicious Mailbox Right Delegation - False Positives for "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" #3702
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
O365 Exchange Suspicious Mailbox Right Delegation => https://www.elastic.co/guide/en/security/current/o365-exchange-suspicious-mailbox-right-delegation.html
Describe the bug
False positive alerts are bing generated for
user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"Original Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : ( "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"Better Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"Expected behavior
user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"does not trigger alertsIn our logs only
"NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"exists, not"NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)", but to be sure lets exclude them both...The text was updated successfully, but these errors were encountered: