From 6a7c1e96749fd5c2fc8801da747f4e29d18150a1 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri, 20 Feb 2026 14:00:34 -0500 Subject: [PATCH] [Rule Deprecation] Deprecate Individual MSFT Compliance Rules (#5679) * [Rule Tuning] Deprecate Individual MSFT Defender Rules / Create BBR MSFT Defender Rule Fixes #5678 * adjusted naming; fixed mitre match * adding M365 Exchange DLP Policy Deleted to deprecation * adjusted BBR naming to represent Purview and not Defender * added tactic tags * adding filebeat * removed new rule --- .../defense_evasion_exchange_dlp_policy_removed.toml | 10 +++------- ...urity_compliance_potential_ransomware_activity.toml | 6 +++--- ...ity_compliance_unusual_volume_of_file_deletion.toml | 6 +++--- ...ecurity_compliance_user_reported_phish_malware.toml | 6 +++--- ..._compliance_user_restricted_from_sending_email.toml | 6 +++--- 5 files changed, 15 insertions(+), 19 deletions(-) diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 8e95132cd..8574d32b9 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/10" [rule] author = ["Elastic"] @@ -20,13 +20,10 @@ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange DLP Policy Deleted" +name = "Deprecated - M365 Exchange DLP Policy Deleted" note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating M365 Exchange DLP Policy Deleted +### Investigating Deprecated - M365 Exchange DLP Policy Deleted Data Loss Prevention (DLP) in Microsoft 365 Exchange is crucial for safeguarding sensitive information by monitoring and controlling data transfers. Adversaries may exploit this by removing DLP policies to bypass data monitoring, facilitating unauthorized data exfiltration. The detection rule identifies such actions by analyzing audit logs for specific events indicating successful DLP policy removal, thus alerting security teams to potential defense evasion tactics. @@ -93,4 +90,3 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 18118b60a..2a6f4711e 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/02/04" [rule] author = ["Elastic", "Austin Songer"] @@ -22,10 +22,10 @@ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Security Compliance Potential Ransomware Activity" +name = "Deprecated - M365 Security Compliance Potential Ransomware Activity" note = """## Triage and analysis -### Investigating M365 Security Compliance Potential Ransomware Activity +### Investigating Deprecated - M365 Security Compliance Potential Ransomware Activity Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics. diff --git a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index 86970ef65..fea069ec8 100644 --- a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/04" [rule] author = ["Austin Songer"] @@ -12,13 +12,13 @@ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Security Compliance Unusual Volume of File Deletion" +name = "Deprecated - M365 Security Compliance Unusual Volume of File Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating M365 Security Compliance Unusual Volume of File Deletion +### Investigating Deprecated - M365 Security Compliance Unusual Volume of File Deletion Microsoft 365's cloud environment facilitates file storage and collaboration, but its vast data handling capabilities can be exploited by adversaries for data destruction. Attackers may delete large volumes of files to disrupt operations or cover their tracks. The detection rule leverages audit logs to identify anomalies in file deletion activities, flagging successful, unusual deletion volumes as potential security incidents, thus enabling timely investigation and response. diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index 8e2db0e4f..f460f945f 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/04" [rule] author = ["Elastic"] @@ -17,13 +17,13 @@ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Security Compliance Email Reported by User as Malware or Phish" +name = "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating M365 Security Compliance Email Reported by User as Malware or Phish +### Investigating Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish Microsoft 365's email services are integral to business communication, but they can be exploited by adversaries through phishing or malware-laden emails. Attackers may bypass security measures, reaching users who might unwittingly engage with malicious content. The detection rule leverages user reports of suspicious emails, correlating them with security events to identify potential threats, thus enhancing the organization's ability to respond to phishing attempts and malware distribution. diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index ce6e00177..15f545815 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/02/04" [rule] author = ["Austin Songer"] @@ -15,13 +15,13 @@ from = "now-9m" index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Security Compliance User Restricted from Sending Email" +name = "Deprecated - M365 Security Compliance User Restricted from Sending Email" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating M365 Security Compliance User Restricted from Sending Email +### Investigating Deprecated - M365 Security Compliance User Restricted from Sending Email Microsoft 365 enforces email sending limits to prevent abuse and ensure service integrity. Adversaries may exploit compromised accounts to send spam or phishing emails, triggering these limits. The detection rule monitors audit logs for successful restrictions by the Security Compliance Center, indicating potential misuse of valid accounts, aligning with MITRE ATT&CK's Initial Access tactic.