search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.88k stars 479 forks source link

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #3775

Open willemri opened 2 months ago

willemri commented 2 months ago

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml https://www.elastic.co/guide/en/security/8.14/prebuilt-rule-0-14-2-o365-exchange-suspicious-mailbox-right-delegation.html

Description

2 issues:

  1. The rule query on the elastic.co site is not the same as the one on github
  2. I'm not sure if this is by design by microsoft; or a typo in the rule. The part with exclusion in the user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Should actually be: "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" My suggestion would change the query to: event.dataset:o365.audit AND event.provider:Exchange AND event.action:Add-MailboxPermission AND o365.audit.Parameters.AccessRights:(FullAccess OR SendAs OR SendOnBehalf) AND event.outcome:success AND NOT user.id: ("NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" OR "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)")

Example Data

  -- {OrganizationName=gentplus.onmicrosoft.com, Parameters=[{Value=, Name=DomainController}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, Name=Identity}, {Value=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/Discovery Management, Name=User}, {Value=FullAccess, Name=AccessRights}], RequestId=xxxxxxxx-93af-470a-d21d-xxxxxxxx, ResultStatus=True, ObjectId=EURPR02A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/gentplus.onmicrosoft.com/DiscoverySearchMailbox{Dxxxxxxx-46A6-415f-80AD-xxxxxxxxx}, UserKey=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ExternalAccess=true, Operation=Add-MailboxPermission, OrganizationId=xxxxxxx-1ebf-4335-ad13-xxxxxxxxxxx, AppAccessContext={UniqueTokenId=}, Workload=Exchange, OriginatingServer=VI1PR0402MB3566 (15.20.7633.033), AppId=, RecordType=1, Version=1, UserId=NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost), ClientAppId=, CreationTime=2024-06-07T14:28:01, CorrelationID=, Id=xxxxxxxx-93af-470a-d21d-xxxxxxxx, UserType=3, AppPoolName=MSExchangeServiceHost}  
willem-dhaese commented 2 months ago

Related to https://github.com/elastic/detection-rules/issues/3702

janniten commented 2 weeks ago

+1