You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
False positive alerts are bing generated for user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
Original Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : ( "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
Better Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
Expected behavior
user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" does not trigger alerts
In our logs only "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" exists, not "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)", but to be sure lets exclude them both...
The text was updated successfully, but these errors were encountered:
O365 Exchange Suspicious Mailbox Right Delegation => https://www.elastic.co/guide/en/security/current/o365-exchange-suspicious-mailbox-right-delegation.html
Describe the bug
False positive alerts are bing generated for
user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
Original Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : ( "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
Better Query:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
Expected behavior
user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
does not trigger alertsIn our logs only
"NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
exists, not"NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
, but to be sure lets exclude them both...The text was updated successfully, but these errors were encountered: