Techniques
Sample rules
O365 Elevated Mailbox Permission Assigned
- source: splunk
- technicques:
- T1098
- T1098.002
Description
This detection triggers on the assignment of elevated mailbox permissions within an Office 365 environment, specifically through the Add-MailboxPermission operation, as logged under the Exchange workload in the o365_management_activity. It is meticulously designed to spotlight instances where critical permissions such as FullAccess, ChangePermission, or ChangeOwner are granted, marking significant alterations in mailbox access controls.
Detection logic
`o365_management_activity` Workload=Exchange Operation=Add-MailboxPermission
| search (AccessRights=FullAccess OR AccessRights=ChangePermission OR AccessRights=ChangeOwner)
| rename Identity AS dest_user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user dest_user Operation AccessRights
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_elevated_mailbox_permission_assigned_filter`