Sensitive roles such as Global Administrator, eDiscovery Manager/Administrator are high-value targets.

In a common attack, an attacker may use lateral movement techniques to move between different accounts and elevate permissions.

Ensure that sensitive roles are monitored in order to obtain notification if a potential attacker has elevated their permissions.

Creating the following Protection Alerts adds to the base Exchange Admin elevation policy by covering more roles.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

New-ProtectionAlert –Category AccessGovernance –Name "Privilege Escalation – eDiscovery"

–NotifyUser sadmin@company.com –ThreatType Activity –Operation "CaseAdminUpdated"

–AggregationType None

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

New-ProtectionAlert –Category AccessGovernance –Name "Privilege Escalation – Office 365"

–NotifyUser sadmin@company.com –ThreatType Activity –Operation "Add role member to role"

–AggregationType None