Overview
This guide provides helpful tips for investigating “Microsoft 365: Potential Mailbox Permissions Change” findings using Investigate, Report Builder to view logs on a host, and recommendations for creating detection filters for any noisy Findings in Blumira.
Using Report Builder to analyze the logs
Reference: See Using the Report Builder for more information about building reports.
Create a report that will show you the surrounding activity in Exchange and Compliance logs for the user making the mailbox permission changes observed in the finding. It is essential to verify if the user is expected to make these changes, and, if not, scoping their activity helps in the investigation and response process.
To review actions taken, create a report by doing the following:
- In the finding, locate the user’s name in the
userfield, which you will filter your report with in later steps. - Keeping your finding tab open, open another browser window and navigate to Reporting > Report Builder.
- Set Time Range to include the time of the activity that you need to investigate.
- In Data Sources, select all Microsoft 365 Exchange and Microsoft 365 Compliance data sources.
- Click Add Filter and then add a filter with the
userfrom the finding's evidence.
Example:user-Equal-username - Select Include Suggested Columns, and then add these additional column values to the report:
typeparameter-
acl
- Click Submit.
NOTE: You can build another report focusing on the object of the finding, which is the user on whom the action was taken (i.e., the object is the mailbox being granted permission to another entity). The parameter field may help to highlight who or what entity is being granted the new permissions. You would follow the same procedure as above, using a different report filter, as follows:
object - Contains - object_from_finding
Detection filters
We do not typically recommend filters for this activity. These detections are not typically noisy.