From ef4e433d97e1abfca683b42737c1b748e51cca4f Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Sat, 28 Sep 2024 18:13:03 -0400 Subject: [PATCH] [Rule Tuning] Ignore "Not Available" in `o365.audit.UserId` for Microsoft 365 Rules (#4105) * tuning M365 impossible travel activity rules * added additional filters for user type logins * adjusted updated date --- ...cess_microsoft_365_brute_force_user_account_attempt.toml | 6 +++++- ...ccess_microsoft_365_impossible_travel_portal_logins.toml | 4 +++- ...ccess_microsoft_365_portal_login_from_rare_location.toml | 4 +++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index a74a09a64..ab55cbd1e 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." min_stack_version = "8.13.0" -updated_date = "2024/09/05" +updated_date = "2024/09/25" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -65,6 +65,10 @@ from logs-o365.audit-* "UserStrongAuthExpired", "CmsiInterrupt" ) + + // ignore unavailable + and o365.audit.UserId != "Not Available" + // filters out non user or application logins based on target and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10") diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml index 90a2a6af2..2f593839b 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2024/09/04" +updated_date = "2024/09/25" [rule] author = ["Elastic"] @@ -36,6 +36,8 @@ event.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") ''' diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml index 7f2471122..7edab168d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2024/09/04" +updated_date = "2024/09/25" [rule] author = ["Elastic"] @@ -34,6 +34,8 @@ event.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") '''