From 189c2b152c6f15322e6a37995463ccac5ff0fc28 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 27 Jan 2022 16:30:46 -0300 Subject: [PATCH] [New Rule] Email Reported by User as Malware or Phish (#1699) * Email Reported by User as Malware or Phish Initial Rule * Update initial_access_o365_user_reported_phish_malware.toml * Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra --- ...cess_o365_user_reported_phish_malware.toml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml new file mode 100644 index 000000000..fba836f0f --- /dev/null +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2022/01/12" +integration = "o365" +maturity = "production" +updated_date = "2022/01/12" + +[rule] +author = ["Elastic"] +description = """ +Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to +stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a +malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent +malware infections and Business Email Compromise attacks. +""" +false_positives = ["Legitimate files reported by the users"] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "O365 Email Reported by User as Malware or Phish" +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us", +] +risk_score = 47 +rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184" +severity = "medium" +tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + + [[rule.threat.technique.subtechnique]] + id = "T1566.001" + name = "Spearphishing Attachment" + reference = "https://attack.mitre.org/techniques/T1566/001/" + + [[rule.threat.technique.subtechnique]] + id = "T1566.002" + name = "Spearphishing Link" + reference = "https://attack.mitre.org/techniques/T1566/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +