[Documentation] Fix O365 Integration name on Rules and Unit Test (#1684)

* Adjust Integration Name * Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml * Update integration name * . * Case Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit 5a16a222ad)
2022-02-09 19:03:30 -03:00
parent d0134efec6
commit d888f7d382
31 changed files with 31 additions and 31 deletions
@@ -25,7 +25,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Inbox Forwarding Rule Created"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Attempts to Brute Force a Microsoft 365 User Account"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"]
 risk_score = 73
 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Potential Password Spraying of Microsoft 365 User Accounts"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 73
 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
 severity = "high"
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "O365 Excessive Single Sign-On Logon Errors"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 73
 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
 severity = "high"
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange DLP Policy Removed"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
    "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide",
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Malware Filter Policy Deletion"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps",
 ]
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Malware Filter Rule Modification"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps",
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Safe Attachment Rule Disabled"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps",
 ]
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "O365 Mailbox Audit Logging Bypass"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://twitter.com/misconfig/status/1476144066807140355",
 ]
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Transport Rule Creation"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Transport Rule Modification"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
@@ -17,7 +17,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Mass download by a single user"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
 references = [
    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Potential ransomware activity"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
 references = [
    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -17,7 +17,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Unusual Volume of File Deletion"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
 references = [
    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Anti-Phish Policy Deletion"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps",
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide",
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Anti-Phish Rule Modification"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps",
    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps",
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Safe Link Policy Disabled"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide",
@@ -18,7 +18,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Impossible travel activity"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
 references = [
    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -17,7 +17,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 User Restricted from Sending Email"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
 """
 references = [
    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "O365 Email Reported by User as Malware or Phish"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us",
 ]
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "OneDrive Malware File Upload"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
 ]
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "SharePoint Malware File Upload"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide",
 ]
@@ -25,7 +25,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps",
 ]
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Teams Custom Application Interaction Allowed"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"]
 risk_score = 47
 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac"
@@ -18,7 +18,7 @@ license = "Elastic License v2"
 name = "O365 Exchange Suspicious Mailbox Right Delegation"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 risk_score = 21
 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc"
 severity = "low"
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Exchange Management Group Role Assignment"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
    "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
@@ -20,7 +20,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Global Administrator Role Assigned"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"
 ]
@@ -24,7 +24,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Teams External Access Enabled"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
 risk_score = 47
 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
@@ -23,7 +23,7 @@ license = "Elastic License v2"
 name = "Microsoft 365 Teams Guest Access Enabled"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
    "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps",
 ]
@@ -16,7 +16,7 @@ license = "Elastic License v2"
 name = "New or Modified Federation Domain"
 note = """## Config

-The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = [
              "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps",
              "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps",
@@ -602,7 +602,7 @@ class TestIntegrationRules(BaseRuleTest):
            'cyberarkpas': render('CyberArk Privileged Access Security (PAS)'),
            'gcp': render('GCP'),
            'google_workspace': render('Google Workspace'),
-            'o365': render('Microsoft 365'),
+            'o365': render('Office 365 Logs'),
            'okta': render('Okta'),
        }