You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.
Add-MailboxPermission [-Identity] <MailboxIdParameter> -AccessRights <MailboxRights> -User <SecurityPrincipalIdParameter> [-AutoMapping <Boolean>] [-Confirm] [-Deny] [-DomainController <Fqdn>] [-GroupMailbox] [-IgnoreDefaultScope] [-InheritanceType <ActiveDirectorySecurityInheritance>] [-WhatIf] [<CommonParameters>]
So from this you can determined that
-AccessRights <MailboxRights>is a important parameter that will be used in the detection rule.
Add-MailboxPermission -Identity "Terry Adams" -User "Kevin Kelly" -AccessRights FullAccess -InheritanceType All
So I decided to go to the Elastic SIEM and see if I can query
accessrightand see if a event field will appear.
And it returns
o365.audit.Parameters.AccessRights, which is exactly what I was looking for
And I know the 3 Access Rights that I can choose to use are as follows:
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success