diff --git a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml b/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml index 7e0863c25..c73e50359 100644 --- a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -145,4 +145,20 @@ reference = "https://attack.mitre.org/techniques/T1528/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4ffdf7111..7868c9b8f 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -85,13 +85,33 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 9c3ca099c..c8cc16fb7 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -86,6 +86,10 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 4f926b954..dfe015d92 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -85,9 +85,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index f5c04c6e2..65b04a55d 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -87,9 +87,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 53c7c70c6..98b13b7e5 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -90,9 +90,9 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 52b040036..9bcee0ccb 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -76,9 +76,9 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1526" -name = "Cloud Service Discovery" -reference = "https://attack.mitre.org/techniques/T1526/" +id = "T1619" +name = "Cloud Storage Object Discovery" +reference = "https://attack.mitre.org/techniques/T1619/" [rule.threat.tactic] @@ -88,13 +88,25 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml similarity index 93% rename from rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml rename to rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml index 3fd646128..51323a2db 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ references = [ risk_score = 21 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Execution", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -78,3 +78,15 @@ event.dataset:azure.activitylogs and event.outcome:(Success or success) ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index b6baefbe8..b6262d873 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -84,9 +84,9 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" [rule.threat.tactic] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index b81637fa6..74ded59c5 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -78,6 +78,16 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[[rule.threat.technique]] +id = "T1529" +name = "System Shutdown/Reboot" +reference = "https://attack.mitre.org/techniques/T1529/" + [rule.threat.tactic] id = "TA0040" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 1657100c3..008456880 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -89,6 +89,10 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 84c1ea44c..554637295 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -105,4 +105,21 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml similarity index 85% rename from rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml rename to rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 4ede482fd..7dbd4b00b 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ tags = [ "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", - "Tactic: Credential Access", + "Tactic: Initial Access", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -84,13 +84,41 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index 86053f89e..0509c5e3a 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic", "Willem D'Haese"] @@ -87,6 +87,10 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml similarity index 93% rename from rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml rename to rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml index 72c76e805..d0b2c8b02 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/07/03" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -69,7 +69,6 @@ tags = [ "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-In Logs", - "Tactic: Defense Evasion", "Tactic: Initial Access", "Resources: Investigation Guide", ] @@ -87,6 +86,23 @@ event.dataset: azure.signinlogs and ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -98,6 +114,11 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" +[[rule.threat.technique]] +id = "T1656" +name = "Impersonation" +reference = "https://attack.mitre.org/techniques/T1656/" + [rule.threat.tactic] diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index b9c403c63..4bade699e 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -193,6 +193,15 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -208,4 +217,16 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index c6b01b5a3..4492b05a4 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/09/26" [rule] author = ["Elastic", "Willem D'Haese"] @@ -84,6 +84,10 @@ framework = "MITRE ATT&CK" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] diff --git a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml index b07416330..f6686971a 100644 --- a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -118,4 +118,16 @@ reference = "https://attack.mitre.org/techniques/T1566/002/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml index 4c2bcd0fa..690977b93 100644 --- a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -107,6 +107,18 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index be3ebf75d..923d2bd0f 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/25" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -127,6 +127,18 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml similarity index 91% rename from rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rename to rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml index e5e17e7b3..a2d131dbb 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/09/26" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -89,7 +89,7 @@ tags = [ "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", - "Tactic: Credential Access", + "Tactic: Initial Access", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -109,15 +109,28 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 4ae629e46..965b90561 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -117,6 +117,18 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/persistence_azure_application_credential_modification.toml similarity index 94% rename from rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml rename to rules/integrations/azure/persistence_azure_application_credential_modification.toml index 072ba952f..615d8f3bd 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_azure_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ tags = [ "Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", + "Tactic: Persistence", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -88,18 +88,17 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index cb9f10e3b..c9fe10a5b 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -77,3 +77,26 @@ event.dataset:azure.activitylogs and event.outcome:(Success or success) ''' +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index e81be6818..ba064465e 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -88,6 +88,10 @@ framework = "MITRE ATT&CK" id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index fa292e7a4..4900b86c8 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -86,9 +86,13 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index cda641920..1899b1dd2 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/06/24" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -132,6 +132,18 @@ name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0001" diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index 5c6a7de32..75718ef6e 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -91,6 +91,15 @@ id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml similarity index 90% rename from rules/integrations/azure/collection_update_event_hub_auth_rule.toml rename to rules/integrations/azure/persistence_update_event_hub_auth_rule.toml index 2d505ecfb..345756c0c 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,25 +79,29 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1530" -name = "Data from Cloud Storage" -reference = "https://attack.mitre.org/techniques/T1530/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] -id = "TA0009" -name = "Collection" -reference = "https://attack.mitre.org/tactics/TA0009/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.005" +name = "Cloud Instance Metadata API" +reference = "https://attack.mitre.org/techniques/T1552/005/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 1ef684d77..e11f98050 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -78,4 +78,16 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 51171c51d..26c05f7bc 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -78,6 +78,15 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index c637cb21e..e249506ec 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -82,9 +82,30 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml index e2272b693..d8ea71f9c 100644 --- a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -102,4 +102,21 @@ reference = "https://attack.mitre.org/techniques/T1098/005/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml index 448eb30ea..63b7a7743 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -130,6 +130,21 @@ framework = "MITRE ATT&CK" id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + [rule.threat.tactic] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml similarity index 93% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml index 103daf241..bde99c06e 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", - "Tactic: Initial Access", + "Tactic: Defense Evasion", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -86,13 +86,17 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml similarity index 93% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml index c49431ca1..390b6acf4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ tags = [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", - "Tactic: Initial Access", + "Tactic: Defense Evasion", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -86,13 +86,17 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml similarity index 93% rename from rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml index 94caa0432..1ccb9aaf0 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = [ risk_score = 47 rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,13 +79,17 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml similarity index 93% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml index 31acdfec8..69f8c6c40 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ tags = [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", - "Tactic: Initial Access", + "Tactic: Defense Evasion", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -84,13 +84,17 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 0499a78aa..dce13781d 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -84,6 +84,10 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml index 9c2476082..29c7c6a97 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -134,4 +134,32 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml similarity index 94% rename from rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml index bd6226b48..52d47e153 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -80,9 +80,14 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml similarity index 94% rename from rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml index df7c20b91..3a141c6f9 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -65,7 +65,7 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-a risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" @@ -79,13 +79,13 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 60a023e99..486a76585 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -66,7 +66,7 @@ tags = [ "Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", - "Tactic: Initial Access", + "Tactic: Impact", "Resources: Investigation Guide", ] timestamp_override = "event.ingested" @@ -79,14 +79,9 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 560e67b7a..9db0c6470 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -85,4 +85,20 @@ reference = "https://attack.mitre.org/techniques/T1080/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" +[[rule.threat.technique.subtechnique]] +id = "T1608.001" +name = "Upload Malware" +reference = "https://attack.mitre.org/techniques/T1608/001/" + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 1ddff7054..93ba7eb12 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -84,4 +84,20 @@ reference = "https://attack.mitre.org/techniques/T1080/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1608" +name = "Stage Capabilities" +reference = "https://attack.mitre.org/techniques/T1608/" +[[rule.threat.technique.subtechnique]] +id = "T1608.001" +name = "Upload Malware" +reference = "https://attack.mitre.org/techniques/T1608/001/" + + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index ddd4196f6..7263b6f9d 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -88,6 +88,10 @@ framework = "MITRE ATT&CK" id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic]