O365 Exchange Suspicious Mailbox Right Delegation with wrong user.id?

RedneckHutch · November 5, 2024, 6:56pm

Hey everyone! We have enabled the Elastic Rule O365 Exchange Suspicious Mailbox Right Delegation. We enabled the default query which can seen below.

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"

We have noticed within our environment that o365 logs contain the user.id

NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)

and not (Which is in the default rule query)

NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)

Would it be possible for someone in the community to validate if their user.id contains a lower case or capital H? We are trying to determine if the default is incorrect or if it is just for our environment.

lesio · November 6, 2024, 11:49am

If you google for that string both variants shows up, example:

High-Severity Alert - NT AUTHORITY\SYSTEM - Collaboration - Spiceworks Community

A low severity alert has been triggered | Microsoft Community Hub

Topic		Replies	Views
Office 365 Filebeat Module - Improve ECS utilization Beats ecs-elastic-common-schema , filebeat	3	666	October 25, 2022
Microsoft 365 Detection Rule/Machine Learning Rule Elastic Security elastic-stack-machine-learning	3	963	November 4, 2022
Rules ( EMail variables Alerts ) Elastic Security elastic-stack-alerting	5	452	June 14, 2022
EQL rules are wrong, God help me Elastic Security	7	386	October 20, 2022
Action [indices:admin/auto_create] is unauthorized for API key id [-#########] of user [elastic/fleet-server] on indices [metricbeat-#######] Elasticsearch fleet	3	846	August 12, 2021

O365 Exchange Suspicious Mailbox Right Delegation with wrong user.id?

Related topics