From 0a08f5e677413517c7e1905fed42e098cafb73e0 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Thu, 5 Sep 2024 17:36:56 -0400
Subject: [PATCH] [New Rule] New Microsoft 365 Impossible Travel Rules and
 Deprecation (#4054)

* new impossible travel rules for o365; deprecated development rule

* deleted development rule as it has not lock version

* reverted rule deletion, added note about reliability and related rules
---
 ...rosoft_365_impossible_travel_activity.toml | 16 ++++-
 ...t_365_impossible_travel_portal_logins.toml | 67 +++++++++++++++++++
 ...t_365_portal_login_from_rare_location.toml | 65 ++++++++++++++++++
 3 files changed, 145 insertions(+), 3 deletions(-)
 create mode 100644 rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
 create mode 100644 rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml

diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
index 960fc712c..50b93ea0d 100644
--- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
+++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/07/15"
 integration = ["o365"]
 maturity = "development"
-updated_date = "2023/06/22"
+updated_date = "2024/09/05"
 
 [rule]
 author = ["Austin Songer"]
@@ -16,7 +16,18 @@ index = ["filebeat-*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft 365 Impossible travel activity"
-note = """## Setup
+note = """
+## Important
+
+This rule is no longer applicable based on changes to Microsoft Defender for Office 365. Please refer to the following rules for similar detections:
+
+- Microsoft 365 Portal Logins from Impossible Travel Locations (3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc)
+- Microsoft 365 Portal Login from Rare Location (32d3ad0e-6add-11ef-8c7b-f661ea17fbcc)
+
+Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy
+"""
+setup = """
+## Setup
 
 The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
@@ -48,4 +59,3 @@ reference = "https://attack.mitre.org/techniques/T1078/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-
diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
new file mode 100644
index 000000000..90a2a6af2
--- /dev/null
+++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2024/09/04"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2024/09/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined
+as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a
+Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from
+a different location.
+"""
+false_positives = [
+    """
+    False positives may occur when users are using a VPN or when users are traveling to different locations for
+    legitimate purposes.
+    """,
+]
+from = "now-15m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Portal Logins from Impossible Travel Locations"
+references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
+risk_score = 47
+rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+event.dataset: "o365.audit"
+    and event.provider: "AzureActiveDirectory"
+    and event.action: "UserLoggedIn"
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.threshold]
+field = ["o365.audit.UserId"]
+value = 1
+[[rule.threshold.cardinality]]
+field = "source.geo.country_name"
+value = 2
+
+
diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
new file mode 100644
index 000000000..7f2471122
--- /dev/null
+++ b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2024/09/04"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2024/09/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
+commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
+365 account from an unusual location or behind a VPN.
+"""
+false_positives = [
+    """
+    False positives may occur when users are using a VPN or when users are traveling to different locations.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Portal Login from Rare Location"
+references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
+risk_score = 47
+rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "o365.audit"
+    and event.provider: "AzureActiveDirectory"
+    and event.action: "UserLoggedIn"
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["o365.audit.UserId", "source.geo.country_name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+