cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

SpoolsProvisioning Application Account - High-risk Office Operatoins

ReganDangerCarey
Brass Contributor

‎May 14 2020 04:43 PM

‎May 14 2020 04:43 PM

SpoolsProvisioning Application Account - High-risk Office Operatoins

Is anyone else seeing alerts for this application account come up? Are you filtering? Should it be filtered?

10.9K Views
1 Like
4 Replies
Reply
4 Replies
best response confirmed by ReganDangerCarey (Brass Contributor)
endakelly

‎May 20 2020 02:25 AM

‎May 20 2020 02:25 AM

Solution

Re: SpoolsProvisioning Application Account - High-risk Office Operatoins

@ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.

 

We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).

 

I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.

 

 

SecurityAlert
| where TimeGenerated > ago(5m)
| where DisplayName == "Rare and potentially high-risk Office operations"
| extend Name_One = tostring(parse_json(Entities)[0].Name) 
| extend Name_Two = tostring(parse_json(Entities)[1].Name) 
| where Name_One == "SpoolsProvisioning-ApplicationAccount"
| where isempty(Name_Two)

 

This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.

 

Preview file
78 KB
1 Like
Reply
ReganDangerCarey

‎May 31 2020 03:33 PM

‎May 31 2020 03:33 PM

Re: SpoolsProvisioning Application Account - High-risk Office Operatoins

@endakelly Thanks for this. I find it odd that there's been zero documentation on this in the past.

0 Likes
Reply
Thijs Lecomte

‎Jun 01 2020 01:03 AM

‎Jun 01 2020 01:03 AM

Re: SpoolsProvisioning Application Account - High-risk Office Operatoins

It would be better to adapt the KQL query to ignore the SpoolsProvisioning account, that way you don't have any false positives.

I do the same:
let timeframe = 1d;
let ExcludedAccounts = dynamic(["NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)","SpoolsProvisioning-ApplicationAccount@ExxxxCOM"]);
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation in~ ( "AddMailbox-Permission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
| where UserId !in (ExcludedAccounts)
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomIdentity = ClientIP
2 Likes
Reply
Odion670

‎Nov 23 2021 11:26 PM

‎Nov 23 2021 11:26 PM

Re: SpoolsProvisioning Application Account - High-risk Office Operatoins

@Thijs Lecomte what does the Let timeframe == 1d parameter do? Does it take effect once everyday?

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ReganDangerCarey (Brass Contributor)
endakelly

‎May 20 2020 02:25 AM

‎May 20 2020 02:25 AM

Solution

Re: SpoolsProvisioning Application Account - High-risk Office Operatoins

@ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire.

 

We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored).

 

I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity.

 

 

SecurityAlert
| where TimeGenerated > ago(5m)
| where DisplayName == "Rare and potentially high-risk Office operations"
| extend Name_One = tostring(parse_json(Entities)[0].Name) 
| extend Name_Two = tostring(parse_json(Entities)[1].Name) 
| where Name_One == "SpoolsProvisioning-ApplicationAccount"
| where isempty(Name_Two)

 

This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.

 

View solution in original post

Preview file
78 KB
1 Like
Reply