From 4a46b2f03b70beb77e93e6cc4b9a7b37191f4f36 Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Wed, 14 Apr 2021 17:06:39 -0400 Subject: [PATCH] Create collection_microsoft_365_new_inbox_rule.toml (#1068) Co-authored-by: Justin Ibarra Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...llection_microsoft_365_new_inbox_rule.toml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml diff --git a/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml b/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml new file mode 100644 index 000000000..0563f8864 --- /dev/null +++ b/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2021/03/29" +maturity = "production" +updated_date = "2021/03/29" + +[rule] +author = ["Elastic", "Gary Blackwell", "Austin Songer"] +description = """ +Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on +conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions +are required on the mailbox to create an Inbox rule. +""" +false_positives = [ + """ + An inbox rule may be created by a system or network administrator. Verify that the configuration change was + expected. Exceptions can be added to this rule to filter expected behavior. + """, +] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "Microsoft 365 New Inbox Rule Created" +note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +references = [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", +] +risk_score = 21 +rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" +severity = "low" +tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-InboxRule" and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" +id = "T1114" + +[[rule.threat.technique.subtechnique]] +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" +id = "T1114.003" + + + +[rule.threat.tactic] +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0009" +