security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules_building_block/initial_access_microsoft_defender_alerts_signal.toml
T
Jonhnathan 8d25a7ddce [Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927) 
* [Rule Tuning] Fix MS Defender XDR tag

* bump upodated_date
2026-04-20 18:38:09 -03:00

81 lines
2.6 KiB
TOML
Raw Permalink Blame History

[metadata]
bypass_bbr_timing = true
creation_date = "2026/02/20"
integration = ["o365"]
maturity = "production"
updated_date = "2026/04/07"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft
Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender
Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and
identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry
collection to support comprehensive threat detection.
"""
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Defender Alerts Signal"
references = [
"https://learn.microsoft.com/en-us/defender-endpoint/",
"https://learn.microsoft.com/en-us/defender-cloud-apps/",
"https://learn.microsoft.com/en-us/defender-for-identity/",
"https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
]
risk_score = 21
rule_id = "054853f3-2ce0-41f3-a6eb-4a4867f39cdc"
setup = """### Additional notes
For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = [
"Domain: Cloud",
"Domain: SaaS",
"Domain: Endpoint",
"Data Source: Microsoft 365",
"Data Source: Microsoft 365 Audit Logs",
"Data Source: Microsoft Defender XDR",
"Data Source: Microsoft Defender for Cloud Apps",
"Data Source: Microsoft Defender for Identity",
"Use Case: Threat Detection",
"Tactic: Initial Access",
"Tactic: Execution",
"Tactic: Defense Evasion",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and
event.code:(WDATPAlerts or MCASAlerts or MicrosoftDefenderForIdentityAudit or MS365DCustomDetection or DefenderExpertsforXDRAdmin)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink