security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update initial_access_azure_o365_with_network_alert.toml (#4723)

Browse Source 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Samirbous
2025-05-19 08:24:19 -07:00
committed by GitHub
parent 47059e22f2
commit f2f9cdac66
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/initial_access_azure_o365_with_network_alert.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/29"
integration = ["azure", "o365"]
maturity = "production"
updated_date = "2025/04/29"
updated_date = "2025/05/15"
min_stack_version = "8.17.0"
min_stack_comments = "Elastic ES|QL query functions limitation."
@@ -94,7 +94,7 @@ FROM logs-*, .alerts-security.*
// aggregated alerts count by bucket and by source.ip
| stats total_alerts = count(*), is_mail_access = COUNT_DISTINCT(mail_access_src_ip), is_azure = COUNT_DISTINCT(azure_src_ip), unique_dataset = COUNT_DISTINCT(event.dataset),is_network_alert = COUNT_DISTINCT(network_alert_src_ip), datasets = VALUES(event.dataset), rules = VALUES(kibana.alert.rule.name), cat = VALUES(event.category) by source_ip = TO_IP(source.ip)
// filter for cases where there is a successful sign-in to azure or m365 mail and the source.ip is reported by a network external alert.
| where is_network_alert > 0 and (is_mail_access > 0 or is_azure > 0 and unique_dataset >= 2)
| where is_network_alert > 0 and unique_dataset >= 2 and (is_mail_access > 0 or is_azure > 0) and total_alerts <= 100
'''