Skip to content

Conversation

imays11
Copy link
Contributor

@imays11 imays11 commented Apr 24, 2025

Issue link(s):
Resolves SDH #569

Summary - What I changed

  1. Excludes known legitimate services as suggested by Microsoft and as is done in practice by Azure Sentinel

The following are recommended for exclusion:

NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) - already excluded
NT AUTHORITY\SYSTEM (w3wp) - no telemetry in the last year but should be excluded as suggested
NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore) - showing ~40% of alerts in telemetry over last 30 days and should be excluded

'NT AUTHORITY\SYSTEM (w3wp)' and 'NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)' are both system accounts used by Microsoft products.

'NT AUTHORITY\SYSTEM (w3wp)' is a system account used by Internet Information Services (IIS) to run application pools. It is used to provide the necessary permissions to run web applications and services. 'NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)' is a system account used by Microsoft Exchange Server to run the Admin API. It is used to provide the necessary permissions to manage Exchange Server through the API.

Both accounts are used to ensure that the necessary permissions are granted to the applications and services they are associated with, and to ensure that these applications and services can run smoothly and securely.

These accounts are legitimate and are used by Microsoft Exchange and Outlook on the web for business for various operations. Whitelisting these accounts for the mentioned operations ('Add-MailboxPermission', 'Add-MailboxFolderPermission', 'Set-Mailbox', and 'New-ManagementRoleAssignment') should not pose any security concerns.

These changes reduce alerts in telemtry from 11537 to 7160 in last 30 days.

  1. I've added highlighted fields as suggested in the SDH::
o365.audit.ObjectId - access to what user.id - change by whom o365.audit.Parameters.User - access granted to whom event.action - for example, "Add-MailboxPermission" o365.audit.Parameters.AccessRights - for example, "FullAccess" 
imays11 added 2 commits April 23, 2025 19:31
tuning to solve SDH ticket by excluding known legitimate services and Microsoft recommended exclusions
adding highlighted fields as suggested
Copy link
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great Investigation! LGTM 👍

The Microsoft moderator does note the following:

However, it is important to note that excluding these alerts may also exclude legitimate activities performed by other users or processes. It is recommended to review the alert logs regularly to ensure that all activities are legitimate and not a result of a security breach.

However, I think the risk of having too many noisy alerts outweighs the moderator's concern.

@imays11 imays11 requested review from Aegrah and Samirbous April 24, 2025 04:01
@shashank-elastic shashank-elastic merged commit b429be2 into main Apr 24, 2025
10 checks passed
@shashank-elastic shashank-elastic deleted the rule_tuning_sdh_O365_Exchange_Suspicious_Mailbox_Right_Delegation branch April 24, 2025 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment