OfficeActivity - Rare and potentially high-risk Office operations and automation

Brass Contributor

Hi,

 

We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules.

 

Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user).

 

Regards

 

Mike

4 Replies
Hi, I actually have not changed this rule myself yet. But my initial thought is to look at the mailboxes being shared, and to which users. From my experience, the most common false positive for this is people sharing access to their mailbox for a short period because they are going on vacation or sick leave or something else. So I would not say it is malicious to share your inbox internally. However, if shared externally and to another domain it would be more suspicious.
Another point, look for newly created users as well as that could be potential internal suspicious user getting access

@MikeP751860 Hi did you get to finetune this alert. Can you please share your insights on this

@Monkey_D_Luffy No tuned it yet but when I do I'm adding NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore) to be filtered out as we are getting events from the account.