Forum Discussion
SpoolsProvisioning Application Account - High-risk Office Operatoins
ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.
We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).
I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.
SecurityAlert | where TimeGenerated > ago(5m) | where DisplayName == "Rare and potentially high-risk Office operations" | extend Name_One = tostring(parse_json(Entities)[0].Name) | extend Name_Two = tostring(parse_json(Entities)[1].Name) | where Name_One == "SpoolsProvisioning-ApplicationAccount" | where isempty(Name_Two)This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.
ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.
We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).
I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.
SecurityAlert
| where TimeGenerated > ago(5m)
| where DisplayName == "Rare and potentially high-risk Office operations"
| extend Name_One = tostring(parse_json(Entities)[0].Name)
| extend Name_Two = tostring(parse_json(Entities)[1].Name)
| where Name_One == "SpoolsProvisioning-ApplicationAccount"
| where isempty(Name_Two)
This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.
endakelly Thanks for this. I find it odd that there's been zero documentation on this in the past.