security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create collection_microsoft_365_new_inbox_rule.toml (#1068)

Browse Source 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2021-04-14 17:06:39 -04:00
committed by GitHub
parent 7408133f79
commit 4a46b2f03b
1 changed files with 60 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml
+60
View File
@@ -0,0 +1,60 @@
[metadata]
creation_date = "2021/03/29"
maturity = "production"
updated_date = "2021/03/29"
[rule]
author = ["Elastic", "Gary Blackwell", "Austin Songer"]
description = """
Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on
conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions
are required on the mailbox to create an Inbox rule.
"""
false_positives = [
"""
An inbox rule may be created by a system or network administrator. Verify that the configuration change was
expected. Exceptions can be added to this rule to filter expected behavior.
""",
]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 New Inbox Rule Created"
note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
]
risk_score = 21
rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
severity = "low"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-InboxRule" and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Email Collection"
reference = "https://attack.mitre.org/techniques/T1114/"
id = "T1114"
[[rule.threat.technique.subtechnique]]
name = "Email Forwarding Rule"
reference = "https://attack.mitre.org/techniques/T1114/003/"
id = "T1114.003"
[rule.threat.tactic]
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
id = "TA0009"