security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1683)

Browse Source 
* Inbox Rule Tuning

* Add RedirectTo

* Update non-ecs-schema.json

(cherry picked from commit 50c7d5f262)
This commit is contained in:
Jonhnathan
2022-01-27 09:20:49 -03:00
committed by github-actions[bot]
parent 9fd1c14450
commit 51dbef8321
2 changed files with 30 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
etc/non-ecs-schema.json
+4 -1
View File
@@ -30,7 +30,10 @@
"powershell.file.script_block_text": "text"
},
"filebeat-*": {
"o365.audit.NewValue": "keyword"
"o365.audit.NewValue": "keyword",
"o365audit.Parameters.ForwardTo": "keyword",
"o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
"o365audit.Parameters.RedirectTo": "keyword"
},
"logs-endpoint.events.*": {
"process.Ext.token.integrity_level_name": "keyword",
rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
+26 -18
View File
@@ -1,27 +1,28 @@
[metadata]
creation_date = "2021/03/29"
maturity = "production"
updated_date = "2021/07/20"
updated_date = "2022/01/05"
integration = "o365"
[rule]
author = ["Elastic", "Gary Blackwell", "Austin Songer"]
description = """
Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on
conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions
are required on the mailbox to create an Inbox rule.
Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based
on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can
abuse Inbox Rules to intercept and exfiltrate email data while not requiring organization-wide configuration changes nor
privileges to set those.
"""
false_positives = [
"""
An inbox rule may be created by a system or network administrator. Verify that the configuration change was
expected. Exceptions can be added to this rule to filter expected behavior.
Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company
policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior.
""",
]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 New Inbox Rule Created"
name = "Microsoft 365 Inbox Forwarding Rule Created"
note = """## Config
The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
@@ -29,35 +30,42 @@ references = [
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide",
"https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf",
]
risk_score = 21
risk_score = 47
rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78"
severity = "low"
severity = "medium"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-InboxRule" and event.outcome:success
event.dataset:o365.audit and event.provider:Exchange and
event.category:web and event.action:"New-InboxRule" and
(
o365audit.Parameters.ForwardTo:* or
o365audit.Parameters.ForwardAsAttachmentTo:* or
o365audit.Parameters.RedirectTo:*
)
and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1114"
name = "Email Collection"
reference = "https://attack.mitre.org/techniques/T1114/"
id = "T1114"
[[rule.threat.technique.subtechnique]]
name = "Email Forwarding Rule"
reference = "https://attack.mitre.org/techniques/T1114/003/"
id = "T1114.003"
[[rule.threat.technique.subtechnique]]
id = "T1114.003"
name = "Email Forwarding Rule"
reference = "https://attack.mitre.org/techniques/T1114/003/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
id = "TA0009"