[Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules (#4105)

* tuning M365 impossible travel activity rules * added additional filters for user type logins * adjusted updated date
2024-09-28 18:13:03 -04:00
parent 1d1b2eb90f
commit ef4e433d97
3 changed files with 11 additions and 3 deletions
@@ -4,7 +4,7 @@ integration = ["o365"]
 maturity = "production"
 min_stack_comments = "ES|QL not available until 8.13.0 in technical preview."
 min_stack_version = "8.13.0"
-updated_date = "2024/09/05"
+updated_date = "2024/09/25"

 [rule]
 author = ["Elastic", "Willem D'Haese", "Austin Songer"]
@@ -65,6 +65,10 @@ from logs-o365.audit-*
    "UserStrongAuthExpired",
    "CmsiInterrupt"
 )
+
+  // ignore unavailable
+  and o365.audit.UserId != "Not Available"
+
  // filters out non user or application logins based on target
  and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")

@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"

 [rule]
 author = ["Elastic"]
@@ -36,6 +36,8 @@ event.dataset: "o365.audit"
    and event.provider: "AzureActiveDirectory"
    and event.action: "UserLoggedIn"
    and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''


@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"

 [rule]
 author = ["Elastic"]
@@ -34,6 +34,8 @@ event.dataset: "o365.audit"
    and event.provider: "AzureActiveDirectory"
    and event.action: "UserLoggedIn"
    and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''