Microsoft 365 Exchange Management Group Role Assignment

 1[metadata]
 2creation_date = "2020/11/20"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in
11order to maintain persistence in an environment.
12"""
13false_positives = [
14    """
15    A new role may be assigned to a management group by a system or network administrator. Verify that the configuration
16    change was expected. Exceptions can be added to this rule to filter expected behavior.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange Management Group Role Assignment"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating Microsoft 365 Exchange Management Group Role Assignment
30
31Microsoft 365 Exchange Management roles define permissions for managing Exchange environments. Adversaries may exploit this by assigning roles to unauthorized users, ensuring persistent access. The detection rule monitors successful role assignments within Exchange, flagging potential unauthorized changes that align with persistence tactics, thus aiding in identifying and mitigating unauthorized access attempts.
32
33### Possible investigation steps
34
35- Review the event details to confirm the event.action is "New-ManagementRoleAssignment" and the event.outcome is "success" to ensure the alert is valid.
36- Identify the user account associated with the role assignment by examining the event.dataset and event.provider fields, and verify if the account is authorized to make such changes.
37- Check the history of role assignments for the identified user to determine if there are any patterns of unauthorized or suspicious activity.
38- Investigate the specific management role that was assigned to understand its permissions and potential impact on the environment.
39- Correlate this event with other recent activities from the same user or IP address to identify any additional suspicious behavior or anomalies.
40- Consult with the relevant IT or security teams to verify if the role assignment was part of a legitimate administrative task or change request.
41
42### False positive analysis
43
44- Routine administrative role assignments can trigger alerts. Regularly review and document legitimate role changes to differentiate them from unauthorized activities.
45- Automated scripts or tools used for role management may cause false positives. Identify and whitelist these tools to prevent unnecessary alerts.
46- Changes made during scheduled maintenance windows might be flagged. Establish a process to temporarily suppress alerts during these periods while ensuring post-maintenance reviews.
47- Role assignments related to onboarding or offboarding processes can appear suspicious. Implement a verification step to confirm these changes align with HR records and expected activities.
48- Frequent role changes by specific users with administrative privileges may not indicate malicious intent. Monitor these users' activities and establish a baseline to identify deviations from normal behavior.
49
50### Response and remediation
51
52- Immediately revoke the newly assigned management role from the unauthorized user to prevent further unauthorized access or changes.
53- Conduct a thorough review of recent activity logs for the affected account to identify any suspicious actions taken since the role assignment.
54- Reset the credentials of the compromised account and enforce multi-factor authentication to enhance security.
55- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
56- Implement additional monitoring on the affected account and similar high-privilege accounts to detect any further unauthorized attempts.
57- Review and update access control policies to ensure that only authorized personnel can assign management roles in Microsoft 365.
58- Consider conducting a security awareness session for administrators to reinforce the importance of monitoring and managing role assignments securely.
59
60## Setup
61
62The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = [
64    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
65    "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
66]
67risk_score = 47
68rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7"
69severity = "medium"
70tags = [
71    "Domain: Cloud",
72    "Data Source: Microsoft 365",
73    "Use Case: Identity and Access Audit",
74    "Tactic: Persistence",
75    "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1098"
89name = "Account Manipulation"
90reference = "https://attack.mitre.org/techniques/T1098/"
91
92
93[rule.threat.tactic]
94id = "TA0003"
95name = "Persistence"
96reference = "https://attack.mitre.org/tactics/TA0003/"