DCA Detect Admin Granting Own Accessto Mailbox
Query
//Detect when one of your Exchange admins grants themselves access to another users mailbox
//Data connector required for this query - M365 Defender - CloudAppEvents
//Microsoft Sentinel query
CloudAppEvents
| extend Operation= tostring(RawEventData.Operation)
| where Operation == "Add-MailboxPermission"
| extend TargetMailbox = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| extend UserAdded = tostring(parse_json(tostring(RawEventData.Parameters))[3].Value)
| extend AccessGranted = tostring(parse_json(tostring(RawEventData.Parameters))[4].Value)
| extend Actor = tostring(RawEventData.UserId)
| where Actor =~ UserAdded
| project TimeGenerated, Actor, TargetMailbox, UserAdded, AccessGranted
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
CloudAppEvents
| extend Operation= tostring(RawEventData.Operation)
| where Operation == "Add-MailboxPermission"
| extend TargetMailbox = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| extend UserAdded = tostring(parse_json(tostring(RawEventData.Parameters))[3].Value)
| extend AccessGranted = tostring(parse_json(tostring(RawEventData.Parameters))[4].Value)
| extend Actor = tostring(RawEventData.UserId)
| where Actor =~ UserAdded
| project Timestamp, Actor, TargetMailbox, UserAdded, AccessGrantedExplanation
This query is used to detect when an Exchange admin grants themselves access to another user's mailbox. It utilizes the M365 Defender - CloudAppEvents data connector in Microsoft Sentinel or the Advanced Hunting license data connector. The query filters for events where the operation is "Add-MailboxPermission" and extracts relevant information such as the target mailbox, the user added, the access granted, and the actor (admin). It then compares the actor to the user added to identify when an admin grants themselves access. The query outputs the timestamp, actor, target mailbox, user added, and access granted for further analysis.
Details

Matt Zorich
Released: June 17, 2022
Tables
CloudAppEvents
Keywords
CloudAppEventsOperationAdd-MailboxPermissionTargetMailboxUserAddedAccessGrantedActorTimeGeneratedTimestamp
Operators
extendwheretostringparse_jsonproject