From d888f7d382476a24f586c30bf07c0f6de10da1cf Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 9 Feb 2022 19:03:30 -0300 Subject: [PATCH] [Documentation] Fix O365 Integration name on Rules and Unit Test (#1684) * Adjust Integration Name * Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml * Update integration name * . * Case Co-authored-by: Justin Ibarra (cherry picked from commit 5a16a222adec1a9d75b00761327f3ba1a7439aaa) --- .../o365/collection_microsoft_365_new_inbox_rule.toml | 2 +- ...l_access_microsoft_365_brute_force_user_account_attempt.toml | 2 +- ...access_microsoft_365_potential_password_spraying_attack.toml | 2 +- .../o365/credential_access_user_excessive_sso_logon_errors.toml | 2 +- ...fense_evasion_microsoft_365_exchange_dlp_policy_removed.toml | 2 +- ...n_microsoft_365_exchange_malware_filter_policy_deletion.toml | 2 +- ..._evasion_microsoft_365_exchange_malware_filter_rule_mod.toml | 2 +- ...vasion_microsoft_365_exchange_safe_attach_rule_disabled.toml | 2 +- ...nse_evasion_microsoft_365_mailboxauditbypassassociation.toml | 2 +- ...ltration_microsoft_365_exchange_transport_rule_creation.toml | 2 +- .../exfiltration_microsoft_365_exchange_transport_rule_mod.toml | 2 +- .../impact_microsoft_365_mass_download_by_a_single_user.toml | 2 +- .../impact_microsoft_365_potential_ransomware_activity.toml | 2 +- .../impact_microsoft_365_unusual_volume_of_file_deletion.toml | 2 +- ...ccess_microsoft_365_exchange_anti_phish_policy_deletion.toml | 2 +- ...itial_access_microsoft_365_exchange_anti_phish_rule_mod.toml | 2 +- ...nitial_access_microsoft_365_exchange_safelinks_disabled.toml | 2 +- ...initial_access_microsoft_365_impossible_travel_activity.toml | 2 +- ...access_microsoft_365_user_restricted_from_sending_email.toml | 2 +- .../o365/initial_access_o365_user_reported_phish_malware.toml | 2 +- .../o365/lateral_movement_malware_uploaded_onedrive.toml | 2 +- .../o365/lateral_movement_malware_uploaded_sharepoint.toml | 2 +- .../microsoft_365_exchange_dkim_signing_config_disabled.toml | 2 +- .../microsoft_365_teams_custom_app_interaction_allowed.toml | 2 +- ...ersistence_exchange_suspicious_mailbox_right_delegation.toml | 2 +- ...tence_microsoft_365_exchange_management_role_assignment.toml | 2 +- ...sistence_microsoft_365_global_administrator_role_assign.toml | 2 +- ...persistence_microsoft_365_teams_external_access_enabled.toml | 2 +- .../persistence_microsoft_365_teams_guest_access_enabled.toml | 2 +- .../privilege_escalation_new_or_modified_federation_domain.toml | 2 +- tests/test_all_rules.py | 2 +- 31 files changed, 31 insertions(+), 31 deletions(-) diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 14b975994..314858425 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -25,7 +25,7 @@ license = "Elastic License v2" name = "Microsoft 365 Inbox Forwarding Rule Created" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 55545c019..fdaa1f511 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"] risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index ff4d5d376..2c86e6cb1 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Potential Password Spraying of Microsoft 365 User Accounts" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 34a157ec8..59d9f49cc 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "O365 Excessive Single Sign-On Logon Errors" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 2758714af..244705746 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 2406d2fef..dfaa30b82 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps", ] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index ef31bd061..2a9a65c2f 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 15e68c94a..eae6a21df 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps", ] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 4d091a7dd..4d2897919 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "O365 Mailbox Audit Logging Bypass" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://twitter.com/misconfig/status/1476144066807140355", ] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 395e79f4d..fe93a320c 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index bc41c6e13..dd5328a2c 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index 9f81dca00..627d4eb2b 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "Microsoft 365 Mass download by a single user" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 4fd3ff33f..291d86c6c 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Potential ransomware activity" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index ba6ac980c..d5d187b11 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "Microsoft 365 Unusual Volume of File Deletion" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index aeeb483c7..bc158cc46 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index b201685ef..486976225 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps", diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 677758050..95a4a827a 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide", diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 2ea2c26e6..a4439500c 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -18,7 +18,7 @@ license = "Elastic License v2" name = "Microsoft 365 Impossible travel activity" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index a07bbe289..77578bbb2 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -17,7 +17,7 @@ license = "Elastic License v2" name = "Microsoft 365 User Restricted from Sending Email" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index fba836f0f..32eb0b2df 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "O365 Email Reported by User as Malware or Phish" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us", ] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index cec974c2f..b39b51e49 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "OneDrive Malware File Upload" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 449e10a85..36ec9de52 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "SharePoint Malware File Upload" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] diff --git a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml index 49dea5f36..0108a46eb 100644 --- a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -25,7 +25,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps", ] diff --git a/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml index ad6a0c062..8fe1cd55a 100644 --- a/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 0f2ec5bbb..1676327bf 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -18,7 +18,7 @@ license = "Elastic License v2" name = "O365 Exchange Suspicious Mailbox Right Delegation" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 3969604cf..f5168d0f7 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 5036d1d4a..959a0b38a 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Microsoft 365 Global Administrator Role Assigned" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator" ] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 3ef701257..75ea7049d 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index bba076a46..cfabf3d78 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -23,7 +23,7 @@ license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps", ] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index afe49d8fc..7ecd5481c 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "New or Modified Federation Domain" note = """## Config -The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 0b0626783..da5f10df9 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -602,7 +602,7 @@ class TestIntegrationRules(BaseRuleTest): 'cyberarkpas': render('CyberArk Privileged Access Security (PAS)'), 'gcp': render('GCP'), 'google_workspace': render('Google Workspace'), - 'o365': render('Microsoft 365'), + 'o365': render('Office 365 Logs'), 'okta': render('Okta'), }