diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index fdaa1f511..51b3be80c 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/01/07" +updated_date = "2022/05/30" integration = "o365" [rule] @@ -35,7 +35,7 @@ query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or - UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:success + UserStrongAuthClientAuthNRequired or InvalidReplyTo) ''' diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 2c86e6cb1..fcc5b183a 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2022/01/07" +updated_date = "2022/05/30" integration = "o365" [rule] @@ -33,7 +33,7 @@ type = "threshold" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and -event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:success +event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") ''' [[rule.threat]]