Forum Discussion
MikeP751860
Sep 27, 2023Brass Contributor
OfficeActivity - Rare and potentially high-risk Office operations and automation
Hi,
We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules.
Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user).
Regards
Mike
- Tobias_MoeCopper ContributorHi, I actually have not changed this rule myself yet. But my initial thought is to look at the mailboxes being shared, and to which users. From my experience, the most common false positive for this is people sharing access to their mailbox for a short period because they are going on vacation or sick leave or something else. So I would not say it is malicious to share your inbox internally. However, if shared externally and to another domain it would be more suspicious.
- Tobias_MoeCopper ContributorAnother point, look for newly created users as well as that could be potential internal suspicious user getting access
- Monkey_D_LuffyCopper Contributor
MikeP751860 Hi did you get to finetune this alert. Can you please share your insights on this
- MikeP751860Brass ContributorMonkey_D_Luffy No tuned it yet but when I do I'm adding NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore) to be filtered out as we are getting events from the account.