From 97d429e31471ea6157c40ec19d2ff95c03453bc0 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 19 Jul 2023 16:05:13 +0100 Subject: [PATCH] [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) * [New] Suspicious Microsoft 365 Mail Access by ClientAppId Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml --- ...ss_microsoft_365_abnormal_clientappid.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml diff --git a/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml new file mode 100644 index 000000000..df836da58 --- /dev/null +++ b/rules/integrations/o365/initial_access_microsoft_365_abnormal_clientappid.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/07/18" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" +min_stack_version = "8.6.0" +integration = ["o365"] +updated_date = "2023/07/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last +10 days. +""" +false_positives = ["User using a new mail client."] +from = "now-30m" +index = ["filebeat-*", "logs-o365*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious Microsoft 365 Mail Access by ClientAppId" +note = """## Setup + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" +references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"] +risk_score = 47 +rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" +severity = "medium" +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["o365.audit.ClientAppId", "user.id"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-10d" \ No newline at end of file