From 3aa53fc6c5034822780cfeefdf8931db37e3493a Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 3 Jun 2022 14:24:14 -0300
Subject: [PATCH] [Rule Tuning] M365 - Remove event.outcome condition from Auth
 Events (#2004)

* Remove event.outcome condition

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml"

This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 ...access_microsoft_365_brute_force_user_account_attempt.toml | 4 ++--
 ...cess_microsoft_365_potential_password_spraying_attack.toml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
index fdaa1f511..51b3be80c 100644
--- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
+++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2022/01/07"
+updated_date = "2022/05/30"
 integration = "o365"
 
 [rule]
@@ -35,7 +35,7 @@ query = '''
 event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
   event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
   not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
-                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:success
+                             UserStrongAuthClientAuthNRequired or InvalidReplyTo)
 '''
 
 
diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml
index 2c86e6cb1..fcc5b183a 100644
--- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml
+++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/01"
 maturity = "production"
-updated_date = "2022/01/07"
+updated_date = "2022/05/30"
 integration = "o365"
 
 [rule]
@@ -33,7 +33,7 @@ type = "threshold"
 
 query = '''
 event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
-event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:success
+event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
 '''
 
 [[rule.threat]]