Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation

You first begin by looking up API or PowerShell cmdlets that will help assign permissions to a specific mailbox. So for this rule of detecting when a permission is delegated to specific user in the organization.

https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps

Add-MailboxPermission
   [-Identity] <MailboxIdParameter>
   -AccessRights <MailboxRights[]>
   -User <SecurityPrincipalIdParameter>
   [-AutoMapping <Boolean>]
   [-Confirm]
   [-Deny]
   [-DomainController <Fqdn>]
   [-GroupMailbox]
   [-IgnoreDefaultScope]
   [-InheritanceType <ActiveDirectorySecurityInheritance>]
   [-WhatIf]
   [<CommonParameters>]


So from this you can determined that -AccessRights <MailboxRights[]> is a important parameter that will be used in the detection rule.

EXAMPLE

Add-MailboxPermission -Identity "Terry Adams" -User "Kevin Kelly" -AccessRights FullAccess -InheritanceType All
So I decided to go to the Elastic SIEM and see if I can query accessright and see if a event field will appear.

And it returns o365.audit.Parameters.AccessRights, which is exactly what I was looking for

And I know the 3 Access Rights that I can choose to use are as follows:

  • FullAccess
  • SendAs
  • SendOnBehalf


RULE

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success