diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json index 370284e04..b6ed2a51d 100644 --- a/etc/non-ecs-schema.json +++ b/etc/non-ecs-schema.json @@ -30,7 +30,10 @@ "powershell.file.script_block_text": "text" }, "filebeat-*": { - "o365.audit.NewValue": "keyword" + "o365.audit.NewValue": "keyword", + "o365audit.Parameters.ForwardTo": "keyword", + "o365audit.Parameters.ForwardAsAttachmentTo": "keyword", + "o365audit.Parameters.RedirectTo": "keyword" }, "logs-endpoint.events.*": { "process.Ext.token.integrity_level_name": "keyword", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index fbb16a01b..14b975994 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,27 +1,28 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/01/05" integration = "o365" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] description = """ -Identifies when a new Inbox rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on -conditions and take actions, such as moving a message to a specified folder or deleting a message. Adequate permissions -are required on the mailbox to create an Inbox rule. +Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based +on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can +abuse Inbox Rules to intercept and exfiltrate email data while not requiring organization-wide configuration changes nor +privileges to set those. """ false_positives = [ """ - An inbox rule may be created by a system or network administrator. Verify that the configuration change was - expected. Exceptions can be added to this rule to filter expected behavior. + Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company + policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior. """, ] from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 New Inbox Rule Created" +name = "Microsoft 365 Inbox Forwarding Rule Created" note = """## Config The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" @@ -29,35 +30,42 @@ references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf", ] -risk_score = 21 +risk_score = 47 rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" -severity = "low" +severity = "medium" tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-InboxRule" and event.outcome:success +event.dataset:o365.audit and event.provider:Exchange and +event.category:web and event.action:"New-InboxRule" and + ( + o365audit.Parameters.ForwardTo:* or + o365audit.Parameters.ForwardAsAttachmentTo:* or + o365audit.Parameters.RedirectTo:* + ) + and event.outcome:success ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] +id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" -id = "T1114" - -[[rule.threat.technique.subtechnique]] -name = "Email Forwarding Rule" -reference = "https://attack.mitre.org/techniques/T1114/003/" -id = "T1114.003" - + [[rule.threat.technique.subtechnique]] + id = "T1114.003" + name = "Email Forwarding Rule" + reference = "https://attack.mitre.org/techniques/T1114/003/" [rule.threat.tactic] +id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" -id = "TA0009"