O365 Suspicious Rights Delegation
This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-15
- Author: Patrick Bareiss, Splunk
- ID: b25d2973-303e-47c8-bacd-52b61604c6a7
Kill Chain Phase
- Actions on Objectives
- CIS 16
1 2 3 4 5 6 7 8 `o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`
The SPL above uses the following Macros:
o365_suspicious_rights_delegation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
Associated Analytic Story
|48.0||80||60||User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Replay any dataset to Splunk Enterprise by using our
replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1