Try in Splunk Security Cloud


This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-15
  • Author: Patrick Bareiss, Splunk
  • ID: b25d2973-303e-47c8-bacd-52b61604c6a7


ID Technique Tactic
T1114.002 Remote Email Collection Collection
T1114 Email Collection Collection
`o365_management_activity` Operation=Add-MailboxPermission 
| spath input=Parameters 
| rename User AS src_user, Identity AS dest_user 
| search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights 

Associated Analytic Story

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • Parameters

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Service Accounts


Risk Score Impact Confidence Message
48.0 80 60 User $user$ has delegated suspicious rights $AccessRights$ to user $dest_user$ that allow access to sensitive


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1