security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] O365 Exchange Safe Link Policy Disabled (#577)

Browse Source 
* Create initial_access_o365_exchange_safelinks_disabled.toml

* Update initial_access_o365_exchange_safelinks_disabled.toml

* linting

* update description

* update tags

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-11-30 10:52:33 -05:00
committed by GitHub
parent 33e731416d
commit b21d32acf4
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/o365/initial_access_o365_exchange_safelinks_disabled.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2020/11/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/18"
[rule]
author = ["Elastic"]
description = """
Identifies when a Safe Link policy is disabled in Office 365. Safe Link policies for Office applications extend phishing
protection to documents that contain hyperlinks, even after they have been delivered to a user.
"""
false_positives = [
"""
Disabling safe links may be done by a system or network administrator. Verify that the configuration change was
expected. Exceptions can be added to this rule to filter expected behavior.
""",
]
from = "now-30m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "O365 Exchange Safe Link Policy Disabled"
note = "The O365 Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide",
]
risk_score = 47
rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2"
severity = "medium"
tags = ["Elastic", "Cloud", "Office 365", "Continuous Monioring", "SecOps", "Identity and Access"]
type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"