Forum Discussion
SpoolsProvisioning Application Account - High-risk Office Operatoins
ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.
We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).
I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.
SecurityAlert | where TimeGenerated > ago(5m) | where DisplayName == "Rare and potentially high-risk Office operations" | extend Name_One = tostring(parse_json(Entities)[0].Name) | extend Name_Two = tostring(parse_json(Entities)[1].Name) | where Name_One == "SpoolsProvisioning-ApplicationAccount" | where isempty(Name_Two)This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.
ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.
We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).
I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.
SecurityAlert
| where TimeGenerated > ago(5m)
| where DisplayName == "Rare and potentially high-risk Office operations"
| extend Name_One = tostring(parse_json(Entities)[0].Name)
| extend Name_Two = tostring(parse_json(Entities)[1].Name)
| where Name_One == "SpoolsProvisioning-ApplicationAccount"
| where isempty(Name_Two)
This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.
endakelly Thanks for this. I find it odd that there's been zero documentation on this in the past.
- It would be better to adapt the KQL query to ignore the SpoolsProvisioning account, that way you don't have any false positives.
I do the same:
let timeframe = 1d;
let ExcludedAccounts = dynamic(["NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)","SpoolsProvisioning-ApplicationAccount@ExxxxCOM"]);
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation in~ ( "AddMailbox-Permission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| where UserId !in (ExcludedAccounts)
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomIdentity = ClientIPThijs Lecomte what does the Let timeframe == 1d parameter do? Does it take effect once everyday?
