security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] New Microsoft 365 Impossible Travel Rules and Deprecation (#4054)

Browse Source 
* new impossible travel rules for o365; deprecated development rule

* deleted development rule as it has not lock version

* reverted rule deletion, added note about reliability and related rules
This commit is contained in:
Terrance DeJesus
2024-09-05 17:36:56 -04:00
committed by GitHub
parent e30dc312e4
commit 0a08f5e677
3 changed files with 145 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
+13 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2021/07/15"
integration = ["o365"]
maturity = "development"
updated_date = "2023/06/22"
updated_date = "2024/09/05"
[rule]
author = ["Austin Songer"]
@@ -16,7 +16,18 @@ index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Impossible travel activity"
note = """## Setup
note = """
## Important
This rule is no longer applicable based on changes to Microsoft Defender for Office 365. Please refer to the following rules for similar detections:
- Microsoft 365 Portal Logins from Impossible Travel Locations (3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc)
- Microsoft 365 Portal Login from Rare Location (32d3ad0e-6add-11ef-8c7b-f661ea17fbcc)
Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy
"""
setup = """
## Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
@@ -48,4 +59,3 @@ reference = "https://attack.mitre.org/techniques/T1078/"
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2024/09/04"
integration = ["o365"]
maturity = "production"
updated_date = "2024/09/04"
[rule]
author = ["Elastic"]
description = """
Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined
as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a
Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from
a different location.
"""
false_positives = [
"""
False positives may occur when users are using a VPN or when users are traveling to different locations for
legitimate purposes.
""",
]
from = "now-15m"
index = ["filebeat-*", "logs-o365.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Portal Logins from Impossible Travel Locations"
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
risk_score = 47
rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset: "o365.audit"
and event.provider: "AzureActiveDirectory"
and event.action: "UserLoggedIn"
and event.outcome: "success"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.threshold]
field = ["o365.audit.UserId"]
value = 1
[[rule.threshold.cardinality]]
field = "source.geo.country_name"
value = 2
rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
+65
View File
@@ -0,0 +1,65 @@
[metadata]
creation_date = "2024/09/04"
integration = ["o365"]
maturity = "production"
updated_date = "2024/09/04"
[rule]
author = ["Elastic"]
description = """
Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
365 account from an unusual location or behind a VPN.
"""
false_positives = [
"""
False positives may occur when users are using a VPN or when users are traveling to different locations.
""",
]
from = "now-9m"
index = ["filebeat-*", "logs-o365.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Portal Login from Rare Location"
references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
risk_score = 47
rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset: "o365.audit"
and event.provider: "AzureActiveDirectory"
and event.action: "UserLoggedIn"
and event.outcome: "success"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.new_terms]
field = "new_terms_fields"
value = ["o365.audit.UserId", "source.geo.country_name"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"