security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3685)

Browse Source 
* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit cd716e5248)
This commit is contained in:
Samirbous
2024-07-05 05:46:40 +01:00
committed by github-actions[bot]
parent 328bf38e8b
commit 461e72cf9c
1 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml
+8 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/18"
integration = ["o365"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/07/04"
[rule]
author = ["Elastic"]
@@ -54,9 +54,9 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and
not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e366-9d6d-4c70-b22a-34c7ea72d73d" or
"a3883eba-fbe9-48bd-9ed3-dca3e0e84250" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or "27922004-5251-4030-b22d-91ecd9a37ea4" or
"1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "00000002-0000-0000-c000-000000000000" or
"00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or
"00000003-0000-0ff1-ce00-000000000000" or "00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or
"00000006-0000-0ff1-ce00-000000000000" or "00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or
"00000002-0000-0ff1-ce00-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or "00000003-0000-0ff1-ce00-000000000000" or
"00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or "00000006-0000-0ff1-ce00-000000000000" or
"00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or
"00000009-0000-0000-c000-000000000000" or "0000000c-0000-0000-c000-000000000000" or "00000015-0000-0000-c000-000000000000" or
"0000001a-0000-0000-c000-000000000000" or "00b41c95-dab0-4487-9791-b9d2c32c80f2" or "022907d3-0f1b-48f7-badc-1ba6abab6d66" or
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" or "08e18876-6177-487e-b8b5-cf950c1e598c" or "0cb7b9ec-5336-483b-bc31-b15b5788de71" or
@@ -70,8 +70,8 @@ not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e36
"2d4d3d8e-2be3-4bef-9f87-7875a61c29de" or "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or "3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7" or
"35d54a08-36c9-4847-9018-93934c62740c" or "37182072-3c9c-4f6a-a4b3-b3f91cacffce" or "38049638-cc2c-4cde-abe4-4479d721ed44" or
"3c896ded-22c5-450f-91f6-3d1ef0848f6e" or "4345a7b9-9a63-4910-a426-35363201d503" or "45a330b1-b1ec-4cc1-9161-9f03992aa49f" or
"47629505-c2b6-4a80-adb1-9b3a3d233b7b" or "4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or
"4b233688-031c-404b-9a80-a4f3f2351f90" or "4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or
"4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or "4b233688-031c-404b-9a80-a4f3f2351f90" or
"4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or
"5572c4c0-d078-44ce-b81c-6cbf8d3ed39e" or "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" or "60c8bde5-3167-4f92-8fdb-059f6176dc0f" or
"61109738-7d2b-4a0b-9fe3-660b1ff83505" or "62256cef-54c0-4cb4-bcac-4c67989bdc40" or "6253bca8-faf2-4587-8f2f-b056d80998a7" or
"65d91a3d-ab74-42e6-8a2f-0add61688c74" or "66a88757-258c-4c72-893c-3e8bed4d6899" or "67e3df25-268a-4324-a550-0de1c7f97287" or
@@ -93,7 +93,8 @@ not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e36
"d73f4b35-55c9-48c7-8b10-651f6f2acb2e" or "d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0" or "de8bc8b5-d9f9-48b1-a8ad-b748da725064" or
"dfe74da8-9279-44ec-8fb2-2aed9e1c73d0" or "e1ef36fd-b883-4dbf-97f0-9ece4b576fc6" or "e64aa8bc-8eb4-40e2-898b-cf261a25954f" or
"e9f49c6b-5ce5-44c8-925d-015017e9f7ad" or "ee272b19-4411-433f-8f28-5c13cb6fd407" or "f5eaa862-7f08-448c-9c4e-f4047d4d4521" or
"fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302")
"fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302"
)
'''