Forum Discussion
cbron
Aug 01, 2022Brass Contributor
A low severity alert has been triggered
A low-severity alert has been triggered
⚠ Mailbox permissions granted
Severity: ● Low
Time: 8/1/2022 7:45:00 AM (UTC)
Activity: AddMailboxPermission
User: NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)
Details: AddMailboxPermission. This alert is triggered whenever someone gets access to read your user's email.
This alert is not particularly useful. Who or what service triggered this alert? How do I find out what mailbox it was triggered for, since I see no corresponding entries in the audit logs? I've tried searching on this alert, but every other post I've seen had High Severity Alert for this message. Why is mine low?
- A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:
[
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
},
{
"Name": "User",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
},
{
"Name": "AccessRights",
"Value": "FullAccess"
}
]
- A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:
[
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
},
{
"Name": "User",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
},
{
"Name": "AccessRights",
"Value": "FullAccess"
}
]- cbronBrass ContributorThank you Vasil!