security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] O365 Exchange Transport Rule Modification (#592)

Browse Source 
* [New Rule] O365 Exchange Transport Rule Modification

* Update exfiltration_o365_exchange_transport_rule_mod.toml

* update description
This commit is contained in:
Brent Murphy
2020-11-30 11:57:48 -05:00
committed by GitHub
parent 3751095897
commit ba52c3d426
1 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/o365/exfiltration_o365_exchange_transport_rule_mod.toml
+54
View File
@@ -0,0 +1,54 @@
[metadata]
creation_date = "2020/11/19"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/19"
[rule]
author = ["Elastic"]
description = """
Identifies when a transport rule has been disabled or deleted in Office 365. Mail flow rules (also known as transport
rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
threat may modify a transport rule to exfiltrate data or evade defenses.
"""
false_positives = [
"""
A transport rule may be modified by a system or network administrator. Verify that the configuration change was
expected. Exceptions can be added to this rule to filter expected behavior.
""",
]
from = "now-30m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "O365 Exchange Transport Rule Modification"
note = "The O365 Fleet integration or Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
]
risk_score = 47
rule_id = "272a6484-2663-46db-a532-ef734bf9a796"
severity = "medium"
tags = ["Elastic", "Cloud", "Office 365", "Continuous Monitoring", "SecOps", "Configuration Audit"]
type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"