security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caf38fd1b1f2911e89f2be30eccac7809ee0091d
sigma-rules/rules/integrations/o365
T
History
Samirbous 97d429e314 [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) 
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId

Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml
2023-07-19 16:05:13 +01:00
..
collection_microsoft_365_new_inbox_rule.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_microsoft_365_brute_force_user_account_attempt.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_microsoft_365_potential_password_spraying_attack.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
credential_access_user_excessive_sso_logon_errors.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
exfiltration_microsoft_365_exchange_transport_rule_creation.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
exfiltration_microsoft_365_exchange_transport_rule_mod.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
exfiltration_microsoft_365_mass_download_by_a_single_user.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
impact_microsoft_365_potential_ransomware_activity.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
impact_microsoft_365_unusual_volume_of_file_deletion.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_microsoft_365_abnormal_clientappid.toml
[New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933)
2023-07-19 16:05:13 +01:00
initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_microsoft_365_exchange_safelinks_disabled.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_microsoft_365_impossible_travel_activity.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_microsoft_365_user_restricted_from_sending_email.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
initial_access_o365_user_reported_phish_malware.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
lateral_movement_malware_uploaded_onedrive.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
lateral_movement_malware_uploaded_sharepoint.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_exchange_suspicious_mailbox_right_delegation.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_exchange_management_role_assignment.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_global_administrator_role_assign.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_teams_custom_app_interaction_allowed.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_teams_external_access_enabled.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
persistence_microsoft_365_teams_guest_access_enabled.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
privilege_escalation_new_or_modified_federation_domain.toml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00