Forum Discussion

cbron's avatar
cbron
Brass Contributor
Aug 01, 2022

A low severity alert has been triggered

A low-severity alert has been triggered

Mailbox permissions granted

Severity: Low

Time: 8/1/2022 7:45:00 AM (UTC)

Activity: AddMailboxPermission

User: NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)

Details: AddMailboxPermission. This alert is triggered whenever someone gets access to read your user's email.

 

This alert is not particularly useful. Who or what service triggered this alert? How do I find out what mailbox it was triggered for, since I see no corresponding entries in the audit logs? I've tried searching on this alert, but every other post I've seen had High Severity Alert for this message. Why is mine low?

 

  • A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
    If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:

    [
    {
    "Name": "DomainController",
    "Value": ""
    },
    {
    "Name": "Identity",
    "Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
    },
    {
    "Name": "User",
    "Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
    },
    {
    "Name": "AccessRights",
    "Value": "FullAccess"
    }
    ]
  • A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
    If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:

    [
    {
    "Name": "DomainController",
    "Value": ""
    },
    {
    "Name": "Identity",
    "Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
    },
    {
    "Name": "User",
    "Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
    },
    {
    "Name": "AccessRights",
    "Value": "FullAccess"
    }
    ]

Resources