security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Email Reported by User as Malware or Phish (#1699)

Browse Source 
* Email Reported by User as Malware or Phish Initial Rule

* Update initial_access_o365_user_reported_phish_malware.toml

* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 189c2b152c)
This commit is contained in:
Jonhnathan
2022-01-27 16:30:46 -03:00
committed by github-actions[bot]
parent 239f7f9324
commit 012e88601e
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
+60
View File
@@ -0,0 +1,60 @@
[metadata]
creation_date = "2022/01/12"
integration = "o365"
maturity = "production"
updated_date = "2022/01/12"
[rule]
author = ["Elastic"]
description = """
Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to
stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a
malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent
malware infections and Business Email Compromise attacks.
"""
false_positives = ["Legitimate files reported by the users"]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "O365 Email Reported by User as Malware or Phish"
note = """## Config
The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us",
]
risk_score = 47
rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184"
severity = "medium"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[[rule.threat.technique.subtechnique]]
id = "T1566.002"
name = "Spearphishing Link"
reference = "https://attack.mitre.org/techniques/T1566/002/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"