security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4589)

Browse Source
This commit is contained in:
Jonhnathan
2025-04-02 09:52:34 -03:00
committed by GitHub
parent 6d8cfda10f
commit e7806fc74f
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/05/17"
integration = ["o365"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/04/01"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -64,7 +64,7 @@ type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
'''