[Rule Tuning] M365 - Remove event.outcome condition from Auth Events (#2004)

* Remove event.outcome condition

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml"

This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2022/01/07"
+updated_date = "2022/05/30"
 integration = "o365"
 
 [rule]
@@ -35,7 +35,7 @@ query = '''
 event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
   event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
   not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
-                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:success
+                             UserStrongAuthClientAuthNRequired or InvalidReplyTo)
 '''
 
 

rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/01"
 maturity = "production"
-updated_date = "2022/01/07"
+updated_date = "2022/05/30"
 integration = "o365"
 
 [rule]
@@ -33,7 +33,7 @@ type = "threshold"
 
 query = '''
 event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
-event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:success
+event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
 '''
 
 [[rule.threat]]