SOLVED

A low severity alert has been triggered

Brass Contributor

A low-severity alert has been triggered

Mailbox permissions granted

Severity: Low

Time: 8/1/2022 7:45:00 AM (UTC)

Activity: AddMailboxPermission

User: NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)

Details: AddMailboxPermission. This alert is triggered whenever someone gets access to read your user's email.

 

This alert is not particularly useful. Who or what service triggered this alert? How do I find out what mailbox it was triggered for, since I see no corresponding entries in the audit logs? I've tried searching on this alert, but every other post I've seen had High Severity Alert for this message. Why is mine low?

 

2 Replies
best response confirmed by cbron (Brass Contributor)
Solution
A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:

[
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
},
{
"Name": "User",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
},
{
"Name": "AccessRights",
"Value": "FullAccess"
}
]
Thank you Vasil!
1 best response

Accepted Solutions
best response confirmed by cbron (Brass Contributor)
Solution
A user value of "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" indicates that this is some background task performed by the system, you can ignore it.
If you want to find all the details, hit the corresponding button at the bottom, or run a query against the audit log. Here's an example value:

[
{
"Name": "DomainController",
"Value": ""
},
{
"Name": "Identity",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}"
},
{
"Name": "User",
"Value": "EURPR03A001.prod.outlook.com/Microsoft Exchange Hosted Organizations/michev.onmicrosoft.com/Discovery Management"
},
{
"Name": "AccessRights",
"Value": "FullAccess"
}
]

View solution in original post