From 17845c2bf982c6cf4694152bcaee725bb64765fe Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Mon, 27 Sep 2021 16:18:33 -0500
Subject: [PATCH] [New Rule] O365 Exchange Suspicious Mailbox Right Delegation
 (#1211)

(cherry picked from commit 5ac7fb639c99f2168dc680636986c6643ca7d8fa)
---
 ...e_suspicious_mailbox_right_delegation.toml | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 rules/microsoft-365/persistence_exchange_suspicious_mailbox_right_delegation.toml

diff --git a/rules/microsoft-365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/microsoft-365/persistence_exchange_suspicious_mailbox_right_delegation.toml
new file mode 100644
index 000000000..512073ba8
--- /dev/null
+++ b/rules/microsoft-365/persistence_exchange_suspicious_mailbox_right_delegation.toml
@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2021/05/17"
+maturity = "production"
+updated_date = "2021/06/22"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account
+to send messages to other accounts in the network of the target business while creating inbox rules, so messages can 
+evade spam/phishing detection mechanisms.
+"""
+false_positives = ["Assignment of rights to a service account."]
+index = ["filebeat-*", "logs-o365*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "O365 Exchange Suspicious Mailbox Right Delegation"
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+risk_score = 21
+rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
+severity = "low"
+tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and 
+o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1098/"
+name = "Account Manipulation"
+id = "T1098"
+[[rule.threat.technique.subtechnique]]
+reference = "https://attack.mitre.org/techniques/T1098/002/"
+name = "Exchange Email Delegate Permissions"
+id = "T1098.002"
+
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0003/"
+name = "Persistence"
+id = "TA0003"