SOLVED

SpoolsProvisioning Application Account - High-risk Office Operatoins

%3CLINGO-SUB%20id%3D%22lingo-sub-1391077%22%20slang%3D%22en-US%22%3ESpoolsProvisioning%20Application%20Account%20-%20High-risk%20Office%20Operatoins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391077%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20anyone%20else%20seeing%20alerts%20for%20this%20application%20account%20come%20up%3F%20Are%20you%20filtering%3F%20Should%20it%20be%20filtered%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405099%22%20slang%3D%22en-US%22%3ERe%3A%20SpoolsProvisioning%20Application%20Account%20-%20High-risk%20Office%20Operatoins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F560053%22%20target%3D%22_blank%22%3E%40ReganDangerCarey%3C%2FA%3E%26nbsp%3BI%20see%20this%20a%20lot.%20For%20us%2C%20it's%20usually%20a%20result%20of%20an%20integration%20with%20our%20HCM%20system%20e.g.%20creation%20of%20a%20new%20mailbox%20for%20a%20new%20hire.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20had%20alerts%20generated%20by%20other%20accounts%20in%20the%20Exchange%20backend%20that%20Azure%20support%20assured%20me%20were%20normal%20(and%20therefore%20could%20be%20ignored).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20playbook%20that%20runs%20every%20five%20minutes%20to%20close%20incidents%20that%20only%20contains%20this%20account%20as%20the%20account%20entity.%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESecurityAlert%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(5m)%0A%7C%20where%20DisplayName%20%3D%3D%20%22Rare%20and%20potentially%20high-risk%20Office%20operations%22%0A%7C%20extend%20Name_One%20%3D%20tostring(parse_json(Entities)%5B0%5D.Name)%20%0A%7C%20extend%20Name_Two%20%3D%20tostring(parse_json(Entities)%5B1%5D.Name)%20%0A%7C%20where%20Name_One%20%3D%3D%20%22SpoolsProvisioning-ApplicationAccount%22%0A%7C%20where%20isempty(Name_Two)%20%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20also%20work%20with%20the%20%22A%20response%20to%20an%20Azure%20Sentinel%20incident%20has%20been%20generated%22%20trigger%20I%20imagine%20but%20I've%20not%20tested%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430115%22%20slang%3D%22en-US%22%3ERe%3A%20SpoolsProvisioning%20Application%20Account%20-%20High-risk%20Office%20Operatoins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430115%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%26nbsp%3BThanks%20for%20this.%20I%20find%20it%20odd%20that%20there's%20been%20zero%20documentation%20on%20this%20in%20the%20past.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430473%22%20slang%3D%22en-US%22%3ERe%3A%20SpoolsProvisioning%20Application%20Account%20-%20High-risk%20Office%20Operatoins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430473%22%20slang%3D%22en-US%22%3EIt%20would%20be%20better%20to%20adapt%20the%20KQL%20query%20to%20ignore%20the%20SpoolsProvisioning%20account%2C%20that%20way%20you%20don't%20have%20any%20false%20positives.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20do%20the%20same%3A%3CBR%20%2F%3Elet%26nbsp%3Btimeframe%26nbsp%3B%3D%26nbsp%3B1d%3B%3CBR%20%2F%3Elet%26nbsp%3BExcludedAccounts%26nbsp%3B%3D%26nbsp%3Bdynamic(%5B%22NT%26nbsp%3BAUTHORITY%5C%5CSYSTEM%26nbsp%3B(Microsoft.Exchange.ServiceHost)%22%2C%22SpoolsProvisioning-ApplicationAccount%40ExxxxCOM%22%5D)%3B%3CBR%20%2F%3EOfficeActivity%3CBR%20%2F%3E%7C%26nbsp%3Bwhere%26nbsp%3BTimeGenerated%26nbsp%3B%26gt%3B%3D%26nbsp%3Bago(timeframe)%3CBR%20%2F%3E%7C%26nbsp%3Bwhere%26nbsp%3BOperation%26nbsp%3Bin~%26nbsp%3B(%26nbsp%3B%22AddMailbox-Permission%22%2C%26nbsp%3B%22Add-MailboxFolderPermission%22%2C%26nbsp%3B%22Set-Mailbox%22%2C%26nbsp%3B%22New-ManagementRoleAssignment%22)%3CBR%20%2F%3E%7C%26nbsp%3Bwhere%26nbsp%3BUserId%26nbsp%3B!in%26nbsp%3B(ExcludedAccounts)%3CBR%20%2F%3E%7C%26nbsp%3Bextend%26nbsp%3Btimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3BUserId%2C%26nbsp%3BIPCustomIdentity%26nbsp%3B%3D%26nbsp%3BClientIP%3C%2FLINGO-BODY%3E
New Contributor

Is anyone else seeing alerts for this application account come up? Are you filtering? Should it be filtered?

3 Replies
best response confirmed by ReganDangerCarey (New Contributor)
Solution

@ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.

 

We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).

 

I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.

 

 

SecurityAlert
| where TimeGenerated > ago(5m)
| where DisplayName == "Rare and potentially high-risk Office operations"
| extend Name_One = tostring(parse_json(Entities)[0].Name) 
| extend Name_Two = tostring(parse_json(Entities)[1].Name) 
| where Name_One == "SpoolsProvisioning-ApplicationAccount"
| where isempty(Name_Two) 

 

This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.

 

@endakelly Thanks for this. I find it odd that there's been zero documentation on this in the past.

It would be better to adapt the KQL query to ignore the SpoolsProvisioning account, that way you don't have any false positives.

I do the same:
let timeframe = 1d;
let ExcludedAccounts = dynamic(["NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)","SpoolsProvisioning-ApplicationAccount@ExxxxCOM"]);
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation in~ ( "AddMailbox-Permission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| where UserId !in (ExcludedAccounts)
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomIdentity = ClientIP