Query Details
Office Activity Detect Full Mailbox Access
Query
//Detect when an Exchange admin grants full mailbox access to another user
//Data connector required for this query - Office 365
OfficeActivity
| where RecordType == "ExchangeAdmin"
| where Operation == "Add-MailboxPermission"
| parse-where Parameters with * 'Identity","Value":"' TargetMailbox '"' *
| parse-where Parameters with * 'User","Value":"' UserGivenAccess '"' *
| parse-where Parameters with * 'AccessRights","Value":"' AccessRights '"' *
| project
TimeGenerated,
Actor=UserId,
['Target Mailbox']=TargetMailbox,
['Target Mailbox DisplayName']=OfficeObjectId,
['User Granted Access']=UserGivenAccess,
['Access Type']=AccessRights
| where tolower(Actor) != "nt authority\\system (microsoft.exchange.servicehost)"
| sort by TimeGenerated desc
Explanation
This query detects when an Exchange admin grants full mailbox access to another user in Office 365. It uses the OfficeActivity data connector and filters for ExchangeAdmin records where the operation is Add-MailboxPermission. It then parses the Parameters field to extract the TargetMailbox, UserGivenAccess, and AccessRights values. The query projects the relevant fields and filters out any records where the Actor is "nt authority\system (microsoft.exchange.servicehost)". Finally, the results are sorted by the TimeGenerated field in descending order.
Details
Matt Zorich
Released: May 29, 2023
Tables
OfficeActivity
Keywords
OfficeActivity,RecordType,ExchangeAdmin,Operation,Add-MailboxPermission,Parameters,Identity,Value,TargetMailbox,User,UserGivenAccess,AccessRights,TimeGenerated,Actor,TargetMailbox,TargetMailboxDisplayName,AccessType,tolower,ntauthority\system(microsoft.exchange.servicehost),sort
Operators
where==|parse-wherewith*'Identity","Value":"''",''User","Value":"''AccessRights","Value":"'projectTimeGeneratedActor=UserId['Target Mailbox']=TargetMailbox['Target Mailbox DisplayName']=OfficeObjectId['User Granted Access']=UserGivenAccess['Access Type']=AccessRightstolower!=sortbydesc