Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #3446

Open
BCall-BT opened this issue Feb 14, 2024 · 2 comments
Open

[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #3446

BCall-BT opened this issue Feb 14, 2024 · 2 comments
Assignees
@terrancedejesus
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule

Comments

@BCall-BT
Copy link

## Link to rule

Description

Typo in the filter used to exclude "NT AUTHORITY\SYSTEM" from the alerts due to it being case-sensitive.

Current query has "not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)". However, the log data coming in from Microsoft has a capital "H" in servicehost. The filter should be not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"

Example Data

image
@BCall-BT BCall-BT added the Rule: Tuning tweaking or tuning an existing rule label Feb 14, 2024
@w0rk3r w0rk3r self-assigned this Feb 14, 2024
@botelastic
Copy link

botelastic bot commented Apr 14, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Apr 14, 2024
@botelastic
Copy link

botelastic bot commented Apr 21, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Apr 21, 2024
@Mikaayenson Mikaayenson added backlog and removed stale 60 days of inactivity labels Apr 22, 2024
@Mikaayenson Mikaayenson reopened this Apr 22, 2024
@w0rk3r w0rk3r assigned terrancedejesus and unassigned w0rk3r Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrancedejesus terrancedejesus

Labels
backlog community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Mikaayenson @w0rk3r @BCall-BT @terrancedejesus