KQL Search

Query Details

HomeAI ToolsDevice Query

DCA Detect Admin Granting Own Accessto Mailbox

Query

//Detect when one of your Exchange admins grants themselves access to another users mailbox

//Data connector required for this query - M365 Defender - CloudAppEvents

//Microsoft Sentinel query
CloudAppEvents
| extend Operation= tostring(RawEventData.Operation)
| where Operation == "Add-MailboxPermission"
| extend TargetMailbox = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| extend UserAdded = tostring(parse_json(tostring(RawEventData.Parameters))[3].Value)
| extend AccessGranted = tostring(parse_json(tostring(RawEventData.Parameters))[4].Value)
| extend Actor = tostring(RawEventData.UserId)
| where Actor =~ UserAdded 
| project TimeGenerated, Actor, TargetMailbox, UserAdded, AccessGranted

//Advanced Hunting query

//Data connector required for this query - Advanced Hunting license

CloudAppEvents
| extend Operation= tostring(RawEventData.Operation)
| where Operation == "Add-MailboxPermission"
| extend TargetMailbox = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| extend UserAdded = tostring(parse_json(tostring(RawEventData.Parameters))[3].Value)
| extend AccessGranted = tostring(parse_json(tostring(RawEventData.Parameters))[4].Value)
| extend Actor = tostring(RawEventData.UserId)
| where Actor =~ UserAdded 
| project Timestamp, Actor, TargetMailbox, UserAdded, AccessGranted

Explanation

This query is used to detect when an Exchange admin grants themselves access to another user's mailbox. It utilizes the M365 Defender - CloudAppEvents data connector in Microsoft Sentinel or the Advanced Hunting license data connector. The query filters for events where the operation is "Add-MailboxPermission" and extracts relevant information such as the target mailbox, the user added, the access granted, and the actor (admin). It then compares the actor to the user added to identify when an admin grants themselves access. The query outputs the timestamp, actor, target mailbox, user added, and access granted for further analysis.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

CloudAppEvents

Keywords

CloudAppEvents,Operation,Add-MailboxPermission,TargetMailbox,UserAdded,AccessGranted,Actor,TimeGenerated,Timestamp

Operators

extendwheretostringparse_jsonproject

Actions