From 35553e8074db3033a270e69e9c663c2db22d3ef8 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 28 Aug 2025 11:54:01 -0400 Subject: [PATCH 1/9] initial adjustments to Azure ruleset --- ...sharepoint_access_for_user_principal.toml} | 7 +++-- ...lection_event_hub_created_or_updated.toml} | 15 +++++++--- ...ss_by_unusual_public_client_via_graph.toml | 6 ++-- ..._access_entra_id_brute_force_activity.toml | 6 ++-- ...d_device_code_auth_with_broker_client.toml | 6 ++-- ...s_entra_id_excessive_account_lockouts.toml | 4 +-- ..._id_first_time_seen_device_code_auth.toml} | 8 +++-- ..._id_signin_brute_force_microsoft_365.toml} | 4 +-- ...al_access_entra_id_suspicious_signin.toml} | 6 ++-- ...s_entra_id_totp_brute_force_attempts.toml} | 6 ++-- ...access_key_vault_excessive_retrieval.toml} | 9 +++--- ...y_vault_retrieval_from_rare_identity.toml} | 7 ++--- ...full_network_packet_capture_detected.toml} | 16 ++++++---- ...ccess_storage_account_key_regenerated.toml | 9 +++--- ...e_evasion_automation_runbook_deleted.toml} | 17 +++++++---- ..._application_credential_modification.toml} | 11 ++++--- ...tra_id_oauth_user_impersonation_scope.toml | 10 +++---- .../defense_evasion_event_hub_deletion.toml | 15 +++++++--- ...nsights_diagnostic_settings_deletion.toml} | 14 ++++++--- ...nse_evasion_kubernetes_events_deleted.toml | 17 +++++++---- ...ion_network_firewall_policy_deletion.toml} | 9 +++--- ...k_frontdoor_firewall_policy_deletion.toml} | 9 +++--- ...ense_evasion_network_watcher_deletion.toml | 9 +++--- ...urity_alert_suppression_rule_created.toml} | 17 +++++++---- ...on_storage_blob_permissions_modified.toml} | 9 +++--- ...overy_bloodhound_user_agents_detected.toml | 2 +- ..._teamfiltration_user_agents_detected.toml} | 2 +- ...e_blob_container_access_modification.toml} | 10 +++---- ...xecution_compute_vm_command_executed.toml} | 10 +++---- ...t_key_vault_modified_by_unusual_user.toml} | 6 ++-- .../azure/impact_kubernetes_pod_deleted.toml | 10 +++---- ...ct_resources_resource_group_deletion.toml} | 8 ++--- ..._entra_id_external_guest_user_invite.toml} | 10 +++---- ...ngle_session_from_multiple_addresses.toml} | 6 ++-- ...tial_access_entra_id_high_risk_signin.toml | 8 ++--- ...ent_grant_via_registered_application.toml} | 8 ++--- ..._id_oauth_phishing_via_vscode_client.toml} | 8 ++--- ...al_access_entra_id_powershell_signin.toml} | 10 +++---- ...lti_azure_identity_protection_alerts.toml} | 6 ++-- ...a_id_protection_sign_in_risk_detected.toml | 2 +- ...ntra_id_protection_user_risk_detected.toml | 2 +- ...ra_id_rare_app_id_for_principal_auth.toml} | 10 +++---- ...ation_requirement_for_principal_user.toml} | 6 ++-- ...id_risky_user_or_compromised_sign_in.toml} | 10 +++---- ...ous_oauth_flow_via_auth_broker_to_drs.toml | 8 ++--- ...s_entra_id_unusual_ropc_login_attempt.toml | 6 ++-- ...al_access_entra_id_user_reported_risk.toml | 6 ++-- ...ph_first_occurrence_of_client_request.toml | 2 +- ...rsistence_automation_account_created.toml} | 8 ++--- ...tomation_runbook_created_or_modified.toml} | 8 ++--- ...rsistence_automation_webhook_created.toml} | 8 ++--- ...d_conditional_access_policy_modified.toml} | 30 +++++++++---------- ...d_global_administrator_role_assigned.toml} | 12 ++++---- ...entra_id_mfa_disabled_for_azure_user.toml} | 10 +++---- ...ce_entra_id_oidc_discovery_url_change.toml | 6 ++-- ...entra_id_pim_user_added_global_admin.toml} | 11 +++---- ...ed_identity_management_role_modified.toml} | 12 ++++---- ...rt_to_prt_transition_from_user_device.toml | 2 +- ...e_entra_id_service_principal_created.toml} | 8 ++--- ..._service_principal_credentials_added.toml} | 6 ++-- ...ntra_id_suspicious_adrs_token_request.toml | 6 ++-- ..._suspicious_cloud_device_registration.toml | 6 ++-- ...added_as_owner_for_azure_application.toml} | 10 +++---- ...as_owner_for_azure_service_principal.toml} | 10 +++---- ...id_user_signed_in_from_unusual_device.toml | 2 +- ...ce_graph_eam_addition_or_modification.toml | 6 ++-- ..._elevate_to_user_administrator_access.toml | 6 ++-- ...n_kubernetes_aks_rolebinding_created.toml} | 8 ++--- ...oft_365_excessive_mail_items_accessed.toml | 3 +- ...ilbox_access_by_unusual_client_app_id.toml | 3 +- ...llection_microsoft_365_new_inbox_rule.toml | 6 ++-- ...a_id_device_reg_via_oauth_redirection.toml | 5 ++-- ...rosoft_365_excessive_account_lockouts.toml | 3 +- ...65_potential_user_account_brute_force.toml | 3 +- ...ccess_user_excessive_sso_logon_errors.toml | 6 ++-- ...osoft_365_exchange_dlp_policy_removed.toml | 8 +++-- ...change_malware_filter_policy_deletion.toml | 4 +-- ..._365_exchange_malware_filter_rule_mod.toml | 4 +-- ...65_exchange_safe_attach_rule_disabled.toml | 4 +-- ...oft_365_mailboxauditbypassassociation.toml | 8 ++--- ...oft_365_new_inbox_rule_delete_or_move.toml | 4 +-- ...crosoft_365_susp_oauth2_authorization.toml | 2 +- ..._365_exchange_transport_rule_creation.toml | 4 +-- ...osoft_365_exchange_transport_rule_mod.toml | 4 +-- ...ft_365_mass_download_by_a_single_user.toml | 4 +-- ...oft_365_potential_ransomware_activity.toml | 4 +-- ...t_365_unusual_volume_of_file_deletion.toml | 4 +-- ...ntra_oauth_phishing_via_vscode_client.toml | 2 +- ...5_exchange_anti_phish_policy_deletion.toml | 4 +-- ...soft_365_exchange_anti_phish_rule_mod.toml | 4 +-- ...osoft_365_exchange_safelinks_disabled.toml | 4 +-- ...sent_grant_via_registered_application.toml | 4 +-- ...rosoft_365_impossible_travel_activity.toml | 4 +-- ...t_365_impossible_travel_portal_logins.toml | 2 +- ...t_365_portal_login_from_rare_location.toml | 2 +- ...65_user_restricted_from_sending_email.toml | 4 +-- ...cess_o365_user_reported_phish_malware.toml | 4 +-- ...al_movement_malware_uploaded_onedrive.toml | 2 +- ..._movement_malware_uploaded_sharepoint.toml | 2 +- ...picious_mailbox_permission_delegation.toml | 2 +- ...exchange_dkim_signing_config_disabled.toml | 4 +-- ...5_exchange_management_role_assignment.toml | 4 +-- ..._365_global_administrator_role_assign.toml | 2 +- ..._teams_custom_app_interaction_allowed.toml | 4 +-- ...oft_365_teams_external_access_enabled.toml | 4 +-- ...rosoft_365_teams_guest_access_enabled.toml | 4 +-- ...ion_new_or_modified_federation_domain.toml | 6 ++-- 107 files changed, 399 insertions(+), 329 deletions(-) rename rules/integrations/azure/{collection_entra_auth_broker_sharepoint_access_for_user_principal.toml => collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml} (97%) rename rules/integrations/azure/{collection_update_event_hub_auth_rule.toml => collection_event_hub_created_or_updated.toml} (94%) rename rules/integrations/azure/{credential_access_first_time_seen_device_code_auth.toml => credential_access_entra_id_first_time_seen_device_code_auth.toml} (97%) rename rules/integrations/azure/{credential_access_entra_signin_brute_force_microsoft_365.toml => credential_access_entra_id_signin_brute_force_microsoft_365.toml} (99%) rename rules/integrations/azure/{credential_access_azure_entra_suspicious_signin.toml => credential_access_entra_id_suspicious_signin.toml} (97%) rename rules/integrations/azure/{credential_access_azure_entra_totp_brute_force_attempts.toml => credential_access_entra_id_totp_brute_force_attempts.toml} (98%) rename rules/integrations/azure/{credential_access_azure_key_vault_excessive_retrieval.toml => credential_access_key_vault_excessive_retrieval.toml} (97%) rename rules/integrations/azure/{credential_access_azure_key_vault_retrieval_from_rare_identity.toml => credential_access_key_vault_retrieval_from_rare_identity.toml} (97%) rename rules/integrations/azure/{credential_access_azure_full_network_packet_capture_detected.toml => credential_access_network_full_network_packet_capture_detected.toml} (94%) rename rules/integrations/azure/{defense_evasion_azure_automation_runbook_deleted.toml => defense_evasion_automation_runbook_deleted.toml} (93%) rename rules/integrations/azure/{defense_evasion_azure_application_credential_modification.toml => defense_evasion_entra_id_application_credential_modification.toml} (95%) rename rules/integrations/azure/{defense_evasion_azure_diagnostic_settings_deletion.toml => defense_evasion_insights_diagnostic_settings_deletion.toml} (95%) rename rules/integrations/azure/{defense_evasion_firewall_policy_deletion.toml => defense_evasion_network_firewall_policy_deletion.toml} (96%) rename rules/integrations/azure/{defense_evasion_frontdoor_firewall_policy_deletion.toml => defense_evasion_network_frontdoor_firewall_policy_deletion.toml} (96%) rename rules/integrations/azure/{defense_evasion_suppression_rule_created.toml => defense_evasion_security_alert_suppression_rule_created.toml} (93%) rename rules/integrations/azure/{defense_evasion_azure_blob_permissions_modified.toml => defense_evasion_storage_blob_permissions_modified.toml} (96%) rename rules/integrations/azure/{discovery_teamfiltration_user_agents_detected.toml => discovery_entra_id_teamfiltration_user_agents_detected.toml} (99%) rename rules/integrations/azure/{discovery_blob_container_access_mod.toml => discovery_storage_blob_container_access_modification.toml} (96%) rename rules/integrations/azure/{execution_command_virtual_machine.toml => execution_compute_vm_command_executed.toml} (96%) rename rules/integrations/azure/{impact_azure_key_vault_modified.toml => impact_key_vault_modified_by_unusual_user.toml} (98%) rename rules/integrations/azure/{impact_resource_group_deletion.toml => impact_resources_resource_group_deletion.toml} (97%) rename rules/integrations/azure/{initial_access_external_guest_user_invite.toml => initial_access_entra_id_external_guest_user_invite.toml} (96%) rename rules/integrations/azure/{initial_access_entra_graph_single_session_from_multiple_addresses.toml => initial_access_entra_id_graph_single_session_from_multiple_addresses.toml} (98%) rename rules/integrations/azure/{initial_access_entra_illicit_consent_grant_via_registered_application.toml => initial_access_entra_id_illicit_consent_grant_via_registered_application.toml} (96%) rename rules/integrations/azure/{initial_access_entra_oauth_phishing_via_vscode_client.toml => initial_access_entra_id_oauth_phishing_via_vscode_client.toml} (97%) rename rules/integrations/azure/{initial_access_azure_active_directory_powershell_signin.toml => initial_access_entra_id_powershell_signin.toml} (96%) rename rules/integrations/azure/{initial_access_entra_protection_multi_azure_identity_protection_alerts.toml => initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml} (96%) rename rules/integrations/azure/{initial_access_entra_rare_app_id_for_principal_auth.toml => initial_access_entra_id_rare_app_id_for_principal_auth.toml} (91%) rename rules/integrations/azure/{initial_access_entra_rare_authentication_requirement_for_principal_user.toml => initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml} (97%) rename rules/integrations/azure/{initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml => initial_access_entra_id_risky_user_or_compromised_sign_in.toml} (95%) rename rules/integrations/azure/{persistence_azure_automation_account_created.toml => persistence_automation_account_created.toml} (97%) rename rules/integrations/azure/{persistence_azure_automation_runbook_created_or_modified.toml => persistence_automation_runbook_created_or_modified.toml} (97%) rename rules/integrations/azure/{persistence_azure_automation_webhook_created.toml => persistence_automation_webhook_created.toml} (97%) rename rules/integrations/azure/{persistence_entra_conditional_access_policy_modified.toml => persistence_entra_id_conditional_access_policy_modified.toml} (82%) rename rules/integrations/azure/{persistence_azure_global_administrator_role_assigned.toml => persistence_entra_id_global_administrator_role_assigned.toml} (94%) rename rules/integrations/azure/{persistence_mfa_disabled_for_azure_user.toml => persistence_entra_id_mfa_disabled_for_azure_user.toml} (95%) rename rules/integrations/azure/{persistence_azure_pim_user_added_global_admin.toml => persistence_entra_id_pim_user_added_global_admin.toml} (95%) rename rules/integrations/azure/{persistence_azure_privileged_identity_management_role_modified.toml => persistence_entra_id_privileged_identity_management_role_modified.toml} (90%) rename rules/integrations/azure/{persistence_entra_service_principal_created.toml => persistence_entra_id_service_principal_created.toml} (95%) rename rules/integrations/azure/{persistence_azure_service_principal_credentials_added.toml => persistence_entra_id_service_principal_credentials_added.toml} (96%) rename rules/integrations/azure/{persistence_user_added_as_owner_for_azure_application.toml => persistence_entra_id_user_added_as_owner_for_azure_application.toml} (96%) rename rules/integrations/azure/{persistence_user_added_as_owner_for_azure_service_principal.toml => persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml} (96%) rename rules/integrations/azure/{privilege_escalation_azure_kubernetes_rolebinding_created.toml => privilege_escalation_kubernetes_aks_rolebinding_created.toml} (97%) diff --git a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml similarity index 97% rename from rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml rename to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml index 30b7a44a46f..a6ad5a1bc7e 100644 --- a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml +++ b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2025/05/07" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" index = ["logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker" +name = "Entra ID SharePoint Access for User Principal via Auth Broker" note = """## Triage and analysis -### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker +### Investigating Entra ID SharePoint Access for User Principal via Auth Broker This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions. @@ -82,6 +82,7 @@ To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collecte severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Use Case: Identity and Access Audit", "Tactic: Collection", "Data Source: Azure", diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_event_hub_created_or_updated.toml similarity index 94% rename from rules/integrations/azure/collection_update_event_hub_auth_rule.toml rename to rules/integrations/azure/collection_event_hub_created_or_updated.toml index 2d505ecfb45..7e37b9d2cc5 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,10 +21,10 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Event Hub Authorization Rule Created or Updated" +name = "Event Hub Authorization Rule Created or Updated" note = """## Triage and analysis > **Disclaimer**: @@ -67,7 +67,14 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index c90bc367c06..86d1fb5246a 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2025/05/06" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Email Access by First-Party Application via Microsoft Graph" +name = "Graph Suspicious Email Access by First-Party Application via Microsoft Graph" note = """## Triage and analysis ### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph @@ -67,6 +67,8 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index 5f664ef65ed..f73ddb74b5d 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above." min_stack_version = "8.17.0" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -25,10 +25,10 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Sign-In Brute Force Activity" +name = "Entra ID Sign-In Brute Force Activity" note = """## Triage and analysis -### Investigating Microsoft Entra ID Sign-In Brute Force Activity +### Investigating Entra ID Sign-In Brute Force Activity This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response. diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml index 4ede482fd06..77bd2f20cba 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -27,8 +27,10 @@ This rule optionally requires Azure Sign-In logs from the Azure integration. Ens severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", - "Data Source: Microsoft Entra ID", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index 8981a92e250..bf50bebf762 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/01" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Exccessive Account Lockouts Detected" +name = "Entra ID Excessive Account Lockouts Detected" note = """## Triage and analysis ### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml similarity index 97% rename from rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rename to rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml index e5e17e7b391..91c1f10e39d 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "First Occurrence of Entra ID Auth via DeviceCode Protocol" +name = "Entra ID First Occurrence of Auth via DeviceCode Protocol" note = """## Triage and analysis ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol @@ -86,8 +86,10 @@ setup = "This rule optionally requires Azure Sign-In logs from the Azure integra severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", - "Data Source: Microsoft Entra ID", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml similarity index 99% rename from rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml rename to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index 1185de758c1..7a0d51a67fd 100644 --- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft 365 Brute Force via Entra ID Sign-Ins" +name = "M365 Brute Force via Entra ID Sign-Ins" note = """## Triage and analysis ### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins diff --git a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml rename to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index 09326ac93d4..6ef9bb2a389 100644 --- a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,10 +20,10 @@ false_positives = [ from = "now-60m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties" +name = "Entra ID Concurrent Sign-Ins with Suspicious Properties" note = """## Triage and analysis -### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties +### Investigating Entra ID Concurrent Sign-Ins with Suspicious Properties ### Possible investigation steps diff --git a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml similarity index 98% rename from rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml rename to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index 71102c93f69..3223c985eeb 100644 --- a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,10 +21,10 @@ false_positives = [ from = "now-9m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID MFA TOTP Brute Force Attempts" +name = "Entra ID MFA TOTP Brute Force Attempts" note = """## Triage and analysis -### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts +### Investigating Entra ID MFA TOTP Brute Force Attempts This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code. diff --git a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml rename to rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index f80f96bc003..696d77ba888 100644 --- a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/07/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" -name = "Excessive Secret or Key Retrieval from Azure Key Vault" +name = "Key Vault Excessive Secret or Key Retrieval" note = """## Triage and analysis -### Investigating Excessive Secret or Key Retrieval from Azure Key Vault +### Investigating Key Vault Excessive Secret or Key Retrieval Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts. @@ -72,11 +72,10 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Storage", "Domain: Identity", "Data Source: Azure", "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault", + "Data Source: Azure Key Vault Diagnostic Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", diff --git a/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml rename to rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml index d93f55ce5da..3759e6254df 100644 --- a/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml +++ b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/07/22" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.platformlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Key Vault Secret Key Usage by Unusual Identity" +name = "Key Vault Secret Key Usage by Unusual Identity" note = """## Triage and analysis -### Investigating Azure Key Vault Secret Key Usage by Unusual Identity +### Investigating Key Vault Secret Key Usage by Unusual Identity Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts. @@ -72,7 +72,6 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Storage", "Domain: Identity", "Data Source: Azure", "Data Source: Azure Platform Logs", diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml similarity index 94% rename from rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml rename to rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index 615a5b47f01..ffc4a19b79b 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -20,16 +20,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Full Network Packet Capture Detected" +name = "VNet Full Network Packet Capture Detected" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Full Network Packet Capture Detected +### Investigating VNet Full Network Packet Capture Detected Azure's Packet Capture is a feature of Network Watcher that allows for the inspection of network traffic, useful for diagnosing network issues. However, if misused, it can capture sensitive data from unencrypted traffic, posing a security risk. Adversaries might exploit this to access credentials or other sensitive information. The detection rule identifies suspicious packet capture activities by monitoring specific Azure activity logs for successful operations, helping to flag potential misuse. @@ -66,7 +66,13 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4ffdf7111ab..4c62f6ea039 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,16 +19,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Storage Account Key Regenerated" +name = "Storage Account Key Regenerated" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Storage Account Key Regenerated +### Investigating Storage Account Key Regenerated Azure Storage Account keys are critical credentials that grant access to storage resources. They are often used by applications and services to authenticate and interact with Azure Storage. Adversaries may regenerate these keys to gain unauthorized access, potentially disrupting services or exfiltrating data. The detection rule monitors for key regeneration events, flagging successful operations as potential indicators of credential misuse, thus enabling timely investigation and response. @@ -70,6 +70,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml similarity index 93% rename from rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml rename to rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index 64091a7a4b4..a7d22e9bc2e 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,16 +11,16 @@ Identifies when an Azure Automation runbook is deleted. An adversary may delete disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. """ from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Automation Runbook Deleted" +name = "Automation Runbook Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Automation Runbook Deleted +### Investigating Automation Runbook Deleted Azure Automation Runbooks automate repetitive tasks in cloud environments, enhancing operational efficiency. Adversaries may exploit this by deleting runbooks to disrupt operations or conceal malicious activities. The detection rule monitors Azure activity logs for successful runbook deletions, signaling potential defense evasion tactics, and alerts analysts to investigate further. @@ -62,7 +62,14 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml similarity index 95% rename from rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml rename to rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index 072ba952ffd..9adf5eb2c41 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,16 +21,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Application Credential Modification" +name = "Entra ID Application Credential Modification" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Application Credential Modification +### Investigating Entra ID Application Credential Modification Azure applications use credentials like certificates or secret strings for identity verification during token requests. Adversaries may exploit this by adding unauthorized credentials, enabling persistent access or evading defenses. The detection rule monitors audit logs for successful updates to application credentials, flagging potential misuse by identifying unauthorized credential modifications. @@ -72,7 +72,10 @@ rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml index 72c76e80596..6b74b89e928 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/07/03" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Entra ID OAuth User Impersonation Scope Detected" +name = "Entra ID Suspicious OAuth User Impersonation Scope Detected" note = """## Triage and Analysis -### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected +### Investigating Entra ID Suspicious OAuth User Impersonation Scope Detected Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where @@ -67,8 +67,8 @@ tags = [ "Domain: Identity", "Use Case: Threat Detection", "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in Logs", "Tactic: Defense Evasion", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 4f926b954b8..d137ca68a2e 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Event Hub Deletion" +name = "Event Hub Deletion" note = """## Triage and analysis > **Disclaimer**: @@ -69,7 +69,14 @@ references = [ risk_score = 47 rule_id = "e0f36de1-0342-453d-95a9-a068b257b053" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml similarity index 95% rename from rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml rename to rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 9c3ca099cc0..8e47fe39455 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,10 +19,10 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Diagnostic Settings Deletion" +name = "Diagnostic Settings Deletion" note = """## Triage and analysis > **Disclaimer**: @@ -66,7 +66,13 @@ references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/dia risk_score = 47 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 41d53464d9d..feacc960cd4 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -19,16 +19,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Events Deleted" +name = "AKS Kubernetes Events Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Kubernetes Events Deleted +### Investigating AKS Kubernetes Events Deleted Azure Kubernetes Service (AKS) manages containerized applications using Kubernetes, which logs events like state changes. These logs are crucial for monitoring and troubleshooting. Adversaries may delete these logs to hide their tracks, impairing defenses. The detection rule identifies such deletions by monitoring specific Azure activity logs, flagging successful deletion operations to alert security teams of potential evasion tactics. @@ -68,7 +68,14 @@ references = [ risk_score = 47 rule_id = "8b64d36a-1307-4b2e-a77b-a0027e4d27c8" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml similarity index 96% rename from rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml rename to rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index f5c04c6e240..82d0481d529 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,16 +18,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Firewall Policy Deletion" +name = "VNet Firewall Policy Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Firewall Policy Deletion +### Investigating VNet Firewall Policy Deletion Azure Firewall policies are crucial for managing and enforcing network security rules across Azure environments. Adversaries may target these policies to disable security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors Azure activity logs for successful deletion operations of firewall policies, signaling potential defense evasion attempts by identifying specific operation names and outcomes. @@ -68,6 +68,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml similarity index 96% rename from rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml rename to rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index 53c7c70c607..09c5552dfee 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -20,16 +20,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted" +name = "VNet Firewall Frontdoor WAF Policy Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Frontdoor Web Application Firewall (WAF) Policy Deleted +### Investigating VNet Firewall Frontdoor WAF Policy Deleted Azure Frontdoor WAF policies are crucial for protecting web applications by filtering and monitoring HTTP requests to block malicious traffic. Adversaries may delete these policies to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, signaling potential defense evasion attempts. @@ -71,6 +71,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index df552106b54..af17eda4047 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,16 +19,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Network Watcher Deletion" +name = "VNet Network Watcher Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Network Watcher Deletion +### Investigating VNet Network Watcher Deletion Azure Network Watcher is a vital tool for monitoring and diagnosing network issues within Azure environments. It provides insights and logging capabilities crucial for maintaining network security. Adversaries may delete Network Watchers to disable these monitoring functions, thereby evading detection. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, flagging successful attempts as potential security threats. @@ -67,6 +67,7 @@ severity = "medium" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml similarity index 93% rename from rules/integrations/azure/defense_evasion_suppression_rule_created.toml rename to rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 66bcb23efcf..60af7f6c4f0 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -19,16 +19,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Alert Suppression Rule Created or Modified" +name = "Diagnostics Alert Suppression Rule Created or Modified" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Alert Suppression Rule Created or Modified +### Investigating Diagnostics Alert Suppression Rule Created or Modified Azure Alert Suppression Rules are used to manage alert noise by filtering out known false positives. However, adversaries can exploit these rules to hide malicious activities by suppressing legitimate security alerts. The detection rule monitors Azure activity logs for successful operations related to suppression rule changes, helping identify potential misuse that could lead to defense evasion and reduced security visibility. @@ -69,7 +69,14 @@ references = [ risk_score = 21 rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml similarity index 96% rename from rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml rename to rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index 1cc74712800..fd9049ff286 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -17,10 +17,10 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Blob Permissions Modification" +name = "Blob Storage Permissions Modification" note = """## Triage and analysis > **Disclaimer**: @@ -66,9 +66,10 @@ severity = "medium" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index 402945fecc1..5c38b6250cd 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/03" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/06/03" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml similarity index 99% rename from rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml rename to rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 970fdb2ec0a..62ac768f416 100644 --- a/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml similarity index 96% rename from rules/integrations/azure/discovery_blob_container_access_mod.toml rename to rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 52b0400362c..87dc477d068 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,17 +17,17 @@ false_positives = [ or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Blob Container Access Level Modification" +name = "Blob Storage Container Access Level Modification" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Blob Container Access Level Modification +### Investigating Blob Storage Container Access Level Modification Azure Blob Storage is a service for storing large amounts of unstructured data, where access levels can be configured to control data visibility. Adversaries may exploit misconfigured access levels to gain unauthorized access to sensitive data. The detection rule monitors changes in container access settings, focusing on successful modifications, to identify potential security risks associated with unauthorized access level changes. diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml similarity index 96% rename from rules/integrations/azure/execution_command_virtual_machine.toml rename to rules/integrations/azure/execution_compute_vm_command_executed.toml index b6baefbe892..8d1001a21d6 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,17 +20,17 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Command Execution on Virtual Machine" +name = "Compute VM Command Execution" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Command Execution on Virtual Machine +### Investigating Compute VM Command Execution Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse. diff --git a/rules/integrations/azure/impact_azure_key_vault_modified.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml similarity index 98% rename from rules/integrations/azure/impact_azure_key_vault_modified.toml rename to rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index b7c2cf63810..e2796380bf0 100644 --- a/rules/integrations/azure/impact_azure_key_vault_modified.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/07/09" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -22,10 +22,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Key Vault Modified" +name = "Key Vault Modified" note = """## Triage and analysis -### Investigating Azure Key Vault Modified +### Investigating Key Vault Modified Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects modifications to Key Vaults, which may indicate potential security incidents or misconfigurations. diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index b81637fa6e9..dc23446e8bc 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -17,17 +17,17 @@ false_positives = [ behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Pods Deleted" +name = "AKS Kubernetes Pods Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Kubernetes Pods Deleted +### Investigating AKS Kubernetes Pods Deleted Azure Kubernetes Service (AKS) enables the deployment, management, and scaling of containerized applications using Kubernetes. Pods, the smallest deployable units in Kubernetes, can be targeted by adversaries to disrupt services or evade detection. Malicious actors might delete pods to cause downtime or hide their activities. The detection rule monitors Azure activity logs for successful pod deletion operations, alerting security teams to potential unauthorized actions that could impact the environment's stability and security. diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml similarity index 97% rename from rules/integrations/azure/impact_resource_group_deletion.toml rename to rules/integrations/azure/impact_resources_resource_group_deletion.toml index 9a3bd20a8cc..4976e324905 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,11 +19,11 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Resource Group Deletion" +name = "Resources Resource Group Deletion" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml similarity index 96% rename from rules/integrations/azure/initial_access_external_guest_user_invite.toml rename to rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index d78d3c2067f..9d198482820 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,17 +19,17 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure External Guest User Invitation" +name = "Entra ID External Guest User Invitation" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure External Guest User Invitation +### Investigating Entra ID External Guest User Invitation Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations. diff --git a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml similarity index 98% rename from rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml rename to rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 6c02f73e3aa..a9dcb204c3d 100644 --- a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/08/28" [rule] @@ -25,10 +25,10 @@ from = "now-31m" interval = "30m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Suspicious Session Reuse to Graph Access" +name = "Entra ID Suspicious Session Reuse to Graph Access" note = """## Triage and analysis -### Investigating Microsoft Entra ID Suspicious Session Reuse to Graph Access +### Investigating Entra ID Suspicious Session Reuse to Graph Access Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location. diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index edeab46d0d5..07f75b9dd42 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Willem D'Haese"] @@ -13,13 +13,13 @@ provide specific details about how risk is calculated, each level brings higher compromised. """ from = "now-9m" -index = ["filebeat-*", "logs-azure.signinlogs*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID High Risk Sign-in" +name = "Entra ID High Risk Sign-in" note = """## Triage and analysis -### Investigating Microsoft Entra ID High Risk Sign-in +### Investigating Entra ID High Risk Sign-in This rule detects high-risk sign-ins in Microsoft Entra ID as identified by Identity Protection. These sign-ins are flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of compromise based on Microsoft’s machine learning and heuristics. This alert is valuable for identifying accounts under active attack or compromise using valid credentials. diff --git a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 96% rename from rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index 9ef4177c59b..df70194967b 100644 --- a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,13 +13,13 @@ accomplished by tricking a user into granting consent to the application, typica establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Illicit Consent Grant via Registered Application" +name = "Entra ID Illicit Consent Grant via Registered Application" note = """## Triage and analysis -### Investigating Microsoft Entra ID Illicit Consent Grant via Registered Application +### Investigating Entra ID Illicit Consent Grant via Registered Application Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent. These applications can access sensitive data—such as mail, profiles, or files—on behalf of the user once consent is granted. This is commonly delivered via spearphishing links that prompt users to approve permissions for seemingly legitimate applications. diff --git a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml similarity index 97% rename from rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml rename to rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index b0741633054..882c7045a18 100644 --- a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -15,14 +15,14 @@ Insiders redirect location, prompting victims to return an OAuth authorization c tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID OAuth Phishing via Visual Studio Code Client" +name = "Entra ID OAuth Phishing via Visual Studio Code Client" note = """## Triage and analysis -### Investigating Microsoft Entra ID OAuth Phishing via Visual Studio Code Client +### Investigating Entra ID OAuth Phishing via Visual Studio Code Client ### Possible investigation steps diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml similarity index 96% rename from rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml rename to rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index 84c1ea44cae..e018f808098 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,14 +17,14 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Active Directory PowerShell Sign-in" +name = "Entra ID PowerShell Sign-in" note = """## Triage and analysis -### Investigating Azure Active Directory PowerShell Sign-in +### Investigating Entra ID PowerShell Sign-in Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. diff --git a/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml b/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml similarity index 96% rename from rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml rename to rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml index 72d1c1bdcdb..f657b0cb804 100644 --- a/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.identity_protection-*"] language = "eql" license = "Elastic License v2" -name = "Multiple Microsoft Entra ID Protection Alerts by User Principal" +name = "Multiple Entra ID Protection Alerts by User Principal" note = """## Triage and analysis -### Investigating Multiple Microsoft Entra ID Protection Alerts by User Principal +### Investigating Multiple Entra ID Protection Alerts by User Principal #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 2565be3e132..162d7bf2538 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/05/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 432ecc45e7d..2d9f32622e2 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/06/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml similarity index 91% rename from rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml rename to rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index 4c2bcd0fa64..97ee6a819be 100644 --- a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,15 +13,15 @@ indicate an attempt to bypass conditional access policies (CAP) and multi-factor app ID specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Entra ID Rare App ID for Principal Authentication" +name = "Entra ID Rare App ID for Principal Authentication" note = """## Triage and analysis -### Investigating Azure Entra ID Rare App ID for Principal Authentication +### Investigating Entra ID Rare App ID for Principal Authentication -This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. +This rule identifies rare Azure apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. **This is a New Terms rule that focuses on first occurrence of the client `azure.signinlogs.properties.app_id` requesting authentication on-behalf-of the principal user `azure.signinlogs.properties.user_principal_name` in the last 14-days.** diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml similarity index 97% rename from rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml rename to rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index be3ebf75d6f..42b1558e745 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/25" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" +name = "Entra ID Rare Authentication Requirement for Principal User" note = """## Triage and analysis -### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User +### Investigating Entra ID Rare Authentication Requirement for Principal User Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml similarity index 95% rename from rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml rename to rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index 1657100c372..4d8e1b1395a 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -10,14 +10,14 @@ description = """ Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Active Directory High Risk User Sign-in Heuristic" +name = "Entra ID High Risk User Sign-in Heuristic" note = """## Triage and analysis -### Investigating Azure Active Directory High Risk User Sign-in Heuristic +### Investigating Entra ID High Risk User Sign-in Heuristic Microsoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks. diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 0cd35b7bd96..c6c561b7f8d 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -25,12 +25,12 @@ from = "now-61m" interval = "60m" language = "esql" license = "Elastic License v2" -name = "Suspicious Microsoft OAuth Flow via Auth Broker to DRS" +name = "Entra ID OAuth Flow via Auth Broker to DRS" note = """## Triage and analysis -### Investigating Suspicious Microsoft OAuth Flow via Auth Broker to DRS +### Investigating Entra ID OAuth Flow via Auth Broker to DRS -This rule identifies potential OAuth phishing behavior in Microsoft Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. +This rule identifies potential OAuth phishing behavior in Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. ### Possible Investigation Steps: diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index bca0c1f9e54..f234c85b5ed 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Unusual ROPC Login Attempt by User Principal" +name = "Entra ID ROPC Login Attempt by User Principal" note = """## Triage and analysis -### Investigating Unusual ROPC Login Attempt by User Principal +### Investigating Entra ID ROPC Login Attempt by User Principal This rule detects unusual login attempts using the Resource Owner Password Credentials (ROPC) flow in Microsoft Entra ID. ROPC allows applications to obtain tokens by directly providing user credentials, bypassing multi-factor authentication (MFA). This method is less secure and can be exploited by adversaries to gain access to user accounts, especially during enumeration or password spraying. diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index fd4b19f0d93..ac90b82ab5d 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Willem D'Haese"] @@ -13,10 +13,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID User Reported Suspicious Activity" +name = "Entra ID User Reported Suspicious Activity" note = """## Triage and Analysis -### Investigating Microsoft Entra ID User Reported Suspicious Activity +### Investigating Entra ID User Reported Suspicious Activity This rule detects when a user in Microsoft Entra ID reports suspicious activity associated with their account. This feature is often used to report MFA fatigue or unsolicited push notifications, and is logged during authentication flows involving methods like Microsoft Authenticator. Such events may indicate that an attacker attempted unauthorized access and triggered a push that was denied or flagged by the user. diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 43f8661beeb..5ad9cbe5327 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/05/19" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml similarity index 97% rename from rules/integrations/azure/persistence_azure_automation_account_created.toml rename to rules/integrations/azure/persistence_automation_account_created.toml index 8ee4ea7b979..4c7e93354cc 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,11 +11,11 @@ Identifies when an Azure Automation account is created. Azure Automation account tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Automation Account Created" +name = "Automation Account Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml similarity index 97% rename from rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml rename to rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml index 3fd64612819..e90674a5f08 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,11 +10,11 @@ description = """ Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Automation Runbook Created or Modified" +name = "Automation Runbook Created or Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml similarity index 97% rename from rules/integrations/azure/persistence_azure_automation_webhook_created.toml rename to rules/integrations/azure/persistence_automation_webhook_created.toml index cb9f10e3b6a..7c20592eb6d 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,11 +11,11 @@ Identifies when an Azure Automation webhook is created. Azure Automation runbook webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Automation Webhook Created" +name = "Automation Webhook Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml similarity index 82% rename from rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml rename to rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index 674ba5a966b..bf142beeae9 100644 --- a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,52 +10,52 @@ description = """ Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified" +name = "Entra ID Conditional Access Policy (CAP) Modified" note = """## Triage and analysis -## Investigation Guide: Microsoft Entra ID Conditional Access Policy (CAP) Modified +## Investigating Entra ID Conditional Access Policy (CAP) Modified Azure Conditional Access Policies (CAPs) are critical for enforcing secure access requirements such as multi-factor authentication (MFA), restricting specific users or groups, and managing sign-in conditions. Modifying these policies can be a technique for weakening an organization’s defenses and maintaining persistence after initial access. This rule detects a successful update to a Conditional Access Policy in Microsoft Entra ID (formerly Azure AD). -### Possible Investigation Steps +### Possible investigation steps -- **Identify the user who modified the policy:** +- Identify the user who modified the policy: - Check the value of `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to determine the identity that made the change. - Investigate their recent activity to determine if this change was expected or authorized. -- **Review the modified policy name:** +- Review the modified policy name: - Look at `azure.auditlogs.properties.target_resources.*.display_name` to find the name of the affected policy. - Determine whether this policy is related to critical controls (e.g., requiring MFA for admins). -- **Analyze the policy change:** +- Analyze the policy change: - Compare the `old_value` and `new_value` fields under `azure.auditlogs.properties.target_resources.*.modified_properties.*`. - Look for security-reducing changes, such as: - Removing users/groups from enforcement. - Disabling MFA or risk-based conditions. - Introducing exclusions that reduce the policy’s coverage. -- **Correlate with other activity:** +- Correlate with other activity: - Pivot on `azure.auditlogs.properties.activity_datetime` to identify if any suspicious sign-ins occurred after the policy was modified. - Check for related authentication logs, particularly from the same IP address (`azure.auditlogs.properties.initiated_by.user.ipAddress`). -- **Assess the user's legitimacy:** +- Assess the user's legitimacy: - Review the initiator’s Azure role, group memberships, and whether their account was recently elevated or compromised. - Investigate whether this user has a history of modifying policies or if this is anomalous. -### Validation & False Positive Considerations +### False positive analysis -- **Authorized administrative changes:** Some organizations routinely update CAPs as part of policy tuning or role-based access reviews. -- **Security reviews or automation:** Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs. -- **Employee lifecycle events:** Policy changes during employee onboarding/offboarding may include updates to access policies. +- Authorized administrative changes: Some organizations routinely update CAPs as part of policy tuning or role-based access reviews. +- Security reviews or automation: Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs. +- Employee lifecycle events: Policy changes during employee onboarding/offboarding may include updates to access policies. If any of these cases apply and align with the activity's context, consider tuning the rule or adding exceptions for expected patterns. -### Response & Remediation +### Response and remediation - Revert unauthorized or insecure changes to the Conditional Access Policy immediately. - Temporarily increase monitoring of CAP modifications and sign-in attempts. diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml similarity index 94% rename from rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml rename to rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 4e7b23074b2..0e342a533ef 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,19 +13,19 @@ identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure AD Global Administrator Role Assigned" +name = "Entra ID Global Administrator Role Assigned" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure AD Global Administrator Role Assigned +### Investigating Entra ID Global Administrator Role Assigned -Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. +Entra ID's Global Administrator role grants comprehensive access to manage Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. ### Possible investigation steps diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml similarity index 95% rename from rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml rename to rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml index df2043ba47f..fd1f9e9b764 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,14 +10,14 @@ description = """ Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Multi-Factor Authentication Disabled for an Azure User" +name = "Entra ID MFA Disabled for User Principal" note = """## Triage and analysis -### Investigating Multi-Factor Authentication Disabled for an Azure User +### Investigating Entra ID MFA Disabled for User Principal Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index 8612b003fad..54f4205f04d 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -14,10 +14,10 @@ multi-factor authentication (MFA) and unauthorized access through bring-your-own from = "now-9m" language = "esql" license = "Elastic License v2" -name = "OIDC Discovery URL Changed in Entra ID" +name = "Entra ID OIDC Discovery URL Modified" note = """## Triage and analysis -### Investigating OIDC Discovery URL Changed in Entra ID +### Investigating Entra ID OIDC Discovery URL Modified This rule detects when the OIDC `discoveryUrl` is changed within the Entra ID Authentication Methods policy. Adversaries may leverage this to federate Entra ID with a rogue Identity Provider (IdP) under their control, allowing them to authenticate users with attacker-owned credentials and bypass MFA. This misconfiguration allows an attacker to impersonate valid users by issuing tokens via a third-party OIDC IdP while still passing validation in Entra ID. This technique has been publicly demonstrated and has critical implications for trust in federated identity. diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml similarity index 95% rename from rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml rename to rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index e81be681868..eecf6910070 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,18 +20,19 @@ false_positives = [ from the rule. """, ] -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Global Administrator Role Addition to PIM User" +name = "Entra ID Global Administrator Role Addition to PIM User" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Global Administrator Role Addition to PIM User +### Investigating Entra ID Global Administrator Role Addition to PIM User -Azure AD's Global Administrator role grants extensive access, allowing users to modify any administrative setting. Privileged Identity Management (PIM) helps manage and monitor such access. Adversaries may exploit this by adding themselves or others to this role, gaining persistent control. The detection rule identifies suspicious role additions by monitoring specific audit logs, focusing on successful role assignments to PIM users, thus helping to flag potential unauthorized access attempts. +Entra ID's Global Administrator role grants extensive access, allowing users to modify any administrative setting. Privileged Identity Management (PIM) helps manage and monitor such access. Adversaries may exploit this by adding themselves or others to this role, gaining persistent control. The detection rule identifies suspicious role additions by monitoring specific audit logs, focusing on successful role assignments to PIM users, thus helping to flag potential unauthorized access attempts. ### Possible investigation steps diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml similarity index 90% rename from rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml rename to rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index fa292e7a474..f65195fc255 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -12,16 +12,16 @@ monitor access to important resources in an organization. PIM can be used to man such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Privilege Identity Management Role Modified" +name = "Entra ID PIM Role Modified" note = """## Triage and analysis -### Investigating Azure Privilege Identity Management Role Modified +### Investigating Entra ID PIM Role Modified -Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. +Entra ID Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Entra ID resource roles such as Global Administrator and Application Administrator. This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings. diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index cda64192073..9a87e1e2496 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/06/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_entra_service_principal_created.toml b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml similarity index 95% rename from rules/integrations/azure/persistence_entra_service_principal_created.toml rename to rules/integrations/azure/persistence_entra_id_service_principal_created.toml index 32bb180ec3a..ede1d09319c 100644 --- a/rules/integrations/azure/persistence_entra_service_principal_created.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -23,12 +23,12 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Service Principal Created" +name = "Entra ID Service Principal Created" note = """## Triage and analysis -### Investigating Microsoft Entra ID Service Principal Created +### Investigating Entra ID Service Principal Created -Service Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant. +Service Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Entra ID make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Entra ID tenant. This rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps. diff --git a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml similarity index 96% rename from rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml rename to rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index c2933e331c2..d1f42031191 100644 --- a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/05/27" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Austin Songer"] @@ -24,10 +24,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Service Principal Credentials Added by Rare User" +name = "Entra ID Service Principal Credentials Added by Rare User" note = """## Triage and analysis -### Investigating Microsoft Entra ID Service Principal Credentials Added by Rare User +### Investigating Entra ID Service Principal Credentials Added by Rare User This rule identifies the addition of new credentials (client secrets or certificates) to a Microsoft Entra ID (formerly Azure AD) service principal by a user who has not previously performed this operation in the last 10 days. Adversaries who obtain temporary or persistent access to a user account may add rogue credentials to service principals in order to maintain unauthorized access to cloud resources. diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index ae192a5b237..c08cfe77ef2 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/06/13" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious ADRS Token Request by Microsoft Auth Broker" +name = "Entra ID ADRS Token Request by Microsoft Auth Broker" note = """## Triage and analysis -### Investigating Suspicious ADRS Token Request by Microsoft Auth Broker +### Investigating Entra ID ADRS Token Request by Microsoft Auth Broker Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) requests access to the Device Registration Service (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) on behalf of a user principal. The presence of the adrs_access scope in the authentication processing details suggests an attempt to access ADRS, which is atypical for standard user sign-ins. This behavior may reflect an effort to abuse device registration for unauthorized persistence, such as acquiring a Primary Refresh Token (PRT) or establishing a trusted session. diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index d5e9e59a5be..50d091aa8f2 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/06/13" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "eql" license = "Elastic License v2" -name = "Microsoft Entra ID Suspicious Cloud Device Registration" +name = "Entra ID Suspicious Cloud Device Registration" note = """## Triage and analysis -### Investigating Microsoft Entra ID Suspicious Cloud Device Registration +### Investigating Entra ID Suspicious Cloud Device Registration This rule detects a sequence of Microsoft Entra ID audit events consistent with cloud device registration abuse via ROADtools or similar automation. The activity includes three correlated events: diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml similarity index 96% rename from rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml rename to rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 1ef684d774f..1694a35cf48 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,17 +11,17 @@ Identifies when a user is added as an owner for an Azure application. An adversa for an Azure application in order to grant additional permissions and modify the application's configuration using another account. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "User Added as Owner for Azure Application" +name = "Entra ID User Added as Application Owner" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating User Added as Owner for Azure Application +### Investigating Entra ID User Added as Application Owner Azure applications often require specific permissions for functionality, managed by assigning user roles. An adversary might exploit this by adding themselves or a compromised account as an owner, gaining elevated privileges to alter configurations or access sensitive data. The detection rule monitors audit logs for successful operations where a user is added as an application owner, flagging potential unauthorized privilege escalations. diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml similarity index 96% rename from rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rename to rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 51171c51de2..2f20448337f 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ service principal object is created when an application is given permission to a adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "User Added as Owner for Azure Service Principal" +name = "Entra ID User Added as Service Principal Owner" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating User Added as Owner for Azure Service Principal +### Investigating Entra ID User Added as Service Principal Owner Azure service principals are crucial for managing application permissions within a tenant, defining access and capabilities. Adversaries may exploit this by adding themselves as owners, gaining control over application permissions and access. The detection rule monitors audit logs for successful owner additions, flagging potential unauthorized changes to maintain security integrity. diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index 5c790fe547b..ae39ae59386 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/06/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index 59f62c55e3f..3023d493461 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/07/14" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -15,10 +15,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "External Authentication Method Addition or Modification in Entra ID" +name = "Entra ID EAM Addition or Modification" note = """## Triage and analysis -### Investigating External Authentication Method Addition or Modification in Entra ID +### Investigating Entra ID EAM Addition or Modification This rule detects suspicious modifications to external authentication methods (EAMs) in Microsoft Entra ID via Microsoft Graph API. Adversaries may abuse this capability to bypass multi-factor authentication (MFA), enabling persistence or unauthorized access through bring-your-own identity provider (BYOIDP) methods. diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 232a1364d34..8db81721d39 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Austin Songer"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Elevated Access to User Access Administrator" +name = "Entra ID Elevated Access to User Access Administrator" note = """## Triage and Analysis -### Investigating Microsoft Entra ID Elevated Access to User Access Administrator +### Investigating Entra ID Elevated Access to User Access Administrator This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml similarity index 97% rename from rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml rename to rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index c637cb21e63..fc2f3fb6412 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -12,11 +12,11 @@ Identifies the creation of role binding or cluster role bindings. You can assign create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. """ -from = "now-20m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Rolebindings Created" +name = "AKS Kubernetes Rolebindings Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml index 6ee48682bc2..3034875b979 100644 --- a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Excessive Microsoft 365 Mailbox Items Accessed" +name = "M365 Exchange Excessive Mailbox Items Accessed" note = """## Triage and analysis ### Investigating Excessive Microsoft 365 Mailbox Items Accessed @@ -65,6 +65,7 @@ rule_id = "7fc95782-4bd1-11f0-9838-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", diff --git a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml index 0a3f55de286..fdf041d01f1 100644 --- a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml @@ -28,7 +28,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Microsoft 365 Mail Access by Unusual ClientAppId" +name = "M365 Exchange Suspicious Mail Access by Unusual ClientAppId" note = """## Triage and Analysis ### Investigating Suspicious Microsoft 365 Mail Access by Unusual ClientAppId @@ -65,6 +65,7 @@ rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index e10126d0a2d..6b301294b2e 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -19,10 +19,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Inbox Forwarding Rule Created" +name = "M365 Exchange Inbox Forwarding Rule Created" note = """## Triage and analysis > **Disclaimer**: @@ -71,7 +71,7 @@ references = [ risk_score = 47 rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml index e2272b6936c..388c77b5c31 100644 --- a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml @@ -18,10 +18,10 @@ index = ["filebeat-*", "logs-o365.audit-*"] interval = "15m" language = "eql" license = "Elastic License v2" -name = "Microsoft 365 OAuth Redirect to Device Registration for User Principal" +name = "M365 Entra ID OAuth Redirect to Device Registration for User Principal" note = """## Triage and analysis -### Investigating Microsoft 365 OAuth Redirect to Device Registration for User Principal +### Investigating M365 Entra ID OAuth Redirect to Device Registration for User Principal ### Possible investigation steps - Review the two UserLoggedIn logs to confirm that they come from different source.ip values and are associated to the same account. @@ -53,6 +53,7 @@ severity = "high" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml index 448eb30ea34..93e31322098 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml @@ -13,7 +13,7 @@ errors across multiple user accounts may indicate brute-force attempts for the s from = "now-9m" language = "esql" license = "Elastic License v2" -name = "Multiple Microsoft 365 User Account Lockouts in Short Time Window" +name = "M365 Entra ID Multiple User Account Lockouts in Short Time Window" note = """## Triage and Analysis ### Investigating Multiple Microsoft 365 User Account Lockouts in Short Time Window @@ -61,6 +61,7 @@ severity = "medium" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml index 20413cd6ea4..536a1865acd 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml @@ -21,7 +21,7 @@ from = "now-60m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Potential Microsoft 365 User Account Brute Force" +name = "M365 Entra ID Potential User Account Brute Force" note = """## Triage and Analysis ### Investigating Potential Microsoft 365 User Account Brute Force @@ -67,6 +67,7 @@ severity = "medium" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index a48986bf801..f2a1d6d672c 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-20m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Excessive Single Sign-On Logon Errors" +name = "M365 Entra ID Excessive Single Sign-On Logon Errors" note = """## Triage and analysis > **Disclaimer**: @@ -65,6 +65,8 @@ rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index e0321d00408..bfe5a573262 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -17,16 +17,16 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange DLP Policy Removed" +name = "M365 Exchange DLP Policy Removed" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Exchange DLP Policy Removed +### Investigating M365 Exchange DLP Policy Removed Data Loss Prevention (DLP) in Microsoft 365 Exchange is crucial for safeguarding sensitive information by monitoring and controlling data transfers. Adversaries may exploit this by removing DLP policies to bypass data monitoring, facilitating unauthorized data exfiltration. The detection rule identifies such actions by analyzing audit logs for specific events indicating successful DLP policy removal, thus alerting security teams to potential defense evasion tactics. @@ -68,6 +68,8 @@ rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index a227d788063..fda196637fb 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Malware Filter Policy Deletion" +name = "M365 Exchange Malware Filter Policy Deletion" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index b89dff6f8b3..d77e43cc252 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Malware Filter Rule Modification" +name = "M365 Exchange Malware Filter Rule Modification" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 2e79b68f418..cedfe0b03f1 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" +name = "M365 Exchange Safe Attachment Rule Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 0499a78aa9c..54a64a4a9a2 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -17,16 +17,16 @@ the account. """ false_positives = ["Legitimate allowlisting of noisy accounts"] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Mailbox Audit Logging Bypass" +name = "M365 Exchange Mailbox Audit Logging Bypass" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating O365 Mailbox Audit Logging Bypass +### Investigating M365 Exchange Mailbox Audit Logging Bypass In Microsoft 365 environments, mailbox audit logging is crucial for tracking user activities like accessing or deleting emails. However, administrators can exempt certain accounts from logging to reduce noise, which attackers might exploit to hide their actions. The detection rule identifies successful attempts to create such exemptions, signaling potential misuse of this bypass mechanism. @@ -64,7 +64,7 @@ references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml index ad4b52badf0..7dd793fd8ee 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml @@ -17,10 +17,10 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails" +name = "M365 Exchange Suspicious Inbox Rule to Delete or Move Emails" note = """## Triage and Analysis -### Investigating Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails +### Investigating M365 Exchange Suspicious Inbox Rule to Delete or Move Emails This detection identifies the creation of potentially malicious inbox rules in Microsoft 365. These rules automatically delete or move emails with specific keywords such as "invoice", "payment", "security", or "phish". Adversaries often use these rules post-compromise to conceal warning emails, alerts from security tools, or responses from help desk teams, thereby evading detection and maintaining access. diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml index 9c247608297..0cb4d39b9f1 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml @@ -15,7 +15,7 @@ from = "now-60m" interval = "59m" language = "esql" license = "Elastic License v2" -name = "Suspicious Microsoft 365 UserLoggedIn via OAuth Code" +name = "M365 Entra ID Suspicious UserLoggedIn via OAuth Code" note = """## Triage and analysis ### Investigating Suspicious Microsoft 365 UserLoggedIn via OAuth Code diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index d40aaa34cf5..14c7fd941a1 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Transport Rule Creation" +name = "M365 Exchange Transport Rule Creation" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 9700f5fb32d..79e715ecd1b 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Transport Rule Modification" +name = "M365 Exchange Transport Rule Modification" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml index 9bc31aa1bd6..072a67c80d8 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml @@ -9,10 +9,10 @@ author = ["Austin Songer"] description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute." false_positives = ["Unknown"] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Mass download by a single user" +name = "M365 Mass Download by a Single User" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 58c441f2a04..d007ca0602f 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Potential ransomware activity" +name = "M365 Potential Ransomware Activity" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 4d93834da53..1d9a3605e08 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -9,10 +9,10 @@ author = ["Austin Songer"] description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security." false_positives = ["Users or System Administrator cleaning out folders."] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Unusual Volume of File Deletion" +name = "M365 Unusual Volume of File Deletion" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml index f1a46b3488b..c5f68800a9d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml @@ -19,7 +19,7 @@ from = "now-25m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 OAuth Phishing via Visual Studio Code Client" +name = "M365 Entra ID OAuth Phishing via Visual Studio Code Client" note = """## Triage and analysis ### Investigating Microsoft 365 OAuth Phishing via Visual Studio Code Client diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 103daf24184..82ad331d91e 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" +name = "M365 Exchange Anti-Phish Policy Deletion" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index c49431ca1fc..242c506b1e4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Anti-Phish Rule Modification" +name = "M365 Exchange Anti-Phish Rule Modification" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 31acdfec8b3..10226b1eff7 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Safe Link Policy Disabled" +name = "M365 Exchange Safe Link Policy Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml index e18f124d09c..cfd56968ea8 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml @@ -14,10 +14,10 @@ via a pre-made phishing URL. This establishes an OAuth grant that allows the mal resources in Microsoft 365 on-behalf-of the user. """ from = "now-9m" -index = ["filebeat-*", "logs-o365**"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Illicit Consent Grant via Registered Application" +name = "M365 Entra ID Illicit Consent Grant via Registered Application" note = """## Triage and analysis ### Investigating Microsoft 365 Illicit Consent Grant via Registered Application diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index ee3bc044b9e..84f9c360a1a 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -12,10 +12,10 @@ impossible travel. """ false_positives = ["User using a VPN may lead to false positives."] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Impossible travel activity" +name = "M365 Impossible Travel Activity" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml index 35f62652d0b..deef83c6d8c 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml @@ -22,7 +22,7 @@ from = "now-15m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Portal Logins from Impossible Travel Locations" +name = "M365 Entra ID Portal Logins from Impossible Travel Locations" references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] risk_score = 47 rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc" diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml index b7cf28e1ceb..7026fc88226 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Portal Login from Rare Location" +name = "M365 Entra ID Portal Login from Rare Location" references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] risk_score = 47 rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 60a023e9999..d9a5cb219b7 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -12,10 +12,10 @@ per the Security Compliance Center. """ false_positives = ["A user sending emails using personal distribution folders may trigger the event."] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 User Restricted from Sending Email" +name = "M365 Exchange User Restricted from Sending Email" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index b22dc87b3e8..dce2fb76bd5 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -14,10 +14,10 @@ malware infections and Business Email Compromise attacks. """ false_positives = ["Legitimate files reported by the users"] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Email Reported by User as Malware or Phish" +name = "M365 Exchange Email Reported by User as Malware or Phish" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 560e67b7a90..c36245bfe2a 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -14,7 +14,7 @@ initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "OneDrive Malware File Upload" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 1ddff70548b..03d908c6935 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -14,7 +14,7 @@ to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "SharePoint Malware File Upload" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 910bb0a982a..9d74ed6e189 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -18,7 +18,7 @@ false_positives = [ index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Mailbox Permission Delegation in Exchange Online" +name = "Exchange Suspicious Mailbox Permission Delegation" note = """## Triage and Analysis ### Investigating Suspicious Mailbox Permission Delegation in Exchange Online diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index 94caa0432f1..346e7c00e3f 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -19,10 +19,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" +name = "M365 Exchange DKIM Signing Configuration Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index ddd4196f61a..f9c17469f35 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Management Group Role Assignment" +name = "M365 Exchange Management Group Role Assignment" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 4023be111e5..b75e04416ac 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Global Administrator Role Assigned" +name = "M365 Entra ID Global Administrator Role Assigned" note = """## Triage and Analysis ### Investigating Microsoft 365 Global Administrator Role Assigned diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index bd6226b4864..f7b69d6a78d 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Teams Custom Application Interaction Allowed" +name = "M365 Teams Custom Application Interaction Allowed" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index df7c20b913f..635c38225d1 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -18,10 +18,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Teams External Access Enabled" +name = "M365 Teams External Access Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 1126bc7afa0..4199e23cae8 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -17,10 +17,10 @@ false_positives = [ """, ] from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Teams Guest Access Enabled" +name = "M365 Teams Guest Access Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 956e2da3b51..1f13033186e 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -7,13 +7,13 @@ updated_date = "2025/01/15" [rule] author = ["Austin Songer"] description = """ -Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external +Identifies a new or modified federation domain, which can be used to create a trust between M365 and an external identity provider. """ -index = ["filebeat-*", "logs-o365*"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "New or Modified Federation Domain" +name = "M365 Entra ID New or Modified Federation Domain" note = """## Triage and analysis > **Disclaimer**: From 9a76608ff9b7c6a89d8a8db04c9ef64569880282 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 28 Aug 2025 14:21:04 -0400 Subject: [PATCH 2/9] updated azure tags --- .../collection_event_hub_created_or_updated.toml | 6 ++---- .../credential_access_entra_id_suspicious_signin.toml | 1 + ..._network_full_network_packet_capture_detected.toml | 1 + ...ential_access_storage_account_key_regenerated.toml | 2 +- .../defense_evasion_automation_runbook_deleted.toml | 3 ++- ..._entra_id_application_credential_modification.toml | 2 +- .../azure/defense_evasion_event_hub_deletion.toml | 3 ++- ...evasion_insights_diagnostic_settings_deletion.toml | 3 ++- .../defense_evasion_kubernetes_events_deleted.toml | 3 ++- ...ense_evasion_network_firewall_policy_deletion.toml | 3 ++- ...on_network_frontdoor_firewall_policy_deletion.toml | 3 ++- .../defense_evasion_network_watcher_deletion.toml | 3 ++- ...asion_security_alert_suppression_rule_created.toml | 3 ++- ...nse_evasion_storage_blob_permissions_modified.toml | 2 ++ ..._entra_id_teamfiltration_user_agents_detected.toml | 1 + ...ry_storage_blob_container_access_modification.toml | 10 +++++++++- .../azure/execution_compute_vm_command_executed.toml | 10 +++++++++- .../azure/impact_kubernetes_pod_deleted.toml | 10 +++++++++- .../impact_resources_resource_group_deletion.toml | 9 ++++++++- ...al_access_entra_id_external_guest_user_invite.toml | 11 ++++++++++- .../initial_access_entra_id_high_risk_signin.toml | 1 + ...icit_consent_grant_via_registered_application.toml | 1 + ...ess_entra_id_oauth_phishing_via_vscode_client.toml | 1 + .../initial_access_entra_id_powershell_signin.toml | 3 +++ ...ection_multi_azure_identity_protection_alerts.toml | 1 + ...ccess_entra_id_rare_app_id_for_principal_auth.toml | 1 + ...authentication_requirement_for_principal_user.toml | 1 + ...ss_entra_id_risky_user_or_compromised_sign_in.toml | 3 +++ .../initial_access_entra_id_user_reported_risk.toml | 1 + ...cess_graph_first_occurrence_of_client_request.toml | 1 + .../azure/persistence_automation_account_created.toml | 10 +++++++++- ...stence_automation_runbook_created_or_modified.toml | 10 +++++++++- .../azure/persistence_automation_webhook_created.toml | 10 +++++++++- ...e_entra_id_conditional_access_policy_modified.toml | 1 + ...e_entra_id_global_administrator_role_assigned.toml | 11 ++++++++++- ...sistence_entra_id_mfa_disabled_for_azure_user.toml | 3 +++ ...sistence_entra_id_pim_user_added_global_admin.toml | 11 ++++++++++- ..._privileged_identity_management_role_modified.toml | 3 +++ ...ersistence_entra_id_service_principal_created.toml | 1 + ..._entra_id_service_principal_credentials_added.toml | 1 + ..._id_user_added_as_owner_for_azure_application.toml | 11 ++++++++++- ...er_added_as_owner_for_azure_service_principal.toml | 11 ++++++++++- ...entra_id_elevate_to_user_administrator_access.toml | 1 + ...escalation_kubernetes_aks_rolebinding_created.toml | 4 ++++ 44 files changed, 165 insertions(+), 26 deletions(-) diff --git a/rules/integrations/azure/collection_event_hub_created_or_updated.toml b/rules/integrations/azure/collection_event_hub_created_or_updated.toml index 7e37b9d2cc5..7b8f8296e9f 100644 --- a/rules/integrations/azure/collection_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/collection_event_hub_created_or_updated.toml @@ -59,16 +59,14 @@ Azure Event Hub Authorization Rules manage access to Event Hubs via cryptographi - Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. - Conduct a security review of all Event Hub Authorization Rules to ensure that only necessary permissions are granted and that the RootManageSharedAccessKey is not used in applications. - Enhance monitoring and alerting for changes to authorization rules by integrating with a Security Information and Event Management (SIEM) system to detect similar threats in the future. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Storage", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Log Auditing", diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index 6ef9bb2a389..628ee967c08 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -56,6 +56,7 @@ This rule requires the Azure logs integration be enabled and configured to colle severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Domain: SaaS", "Data Source: Azure", "Data Source: Entra ID", diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index ffc4a19b79b..78b60f880c0 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -68,6 +68,7 @@ rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", "Data Source: Azure Activity Logs", "Tactic: Credential Access", diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4c62f6ea039..cd83fa74ec0 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -18,7 +18,7 @@ false_positives = [ or locations should be investigated. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index a7d22e9bc2e..db306e43e46 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -10,7 +10,7 @@ description = """ Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -64,6 +64,7 @@ rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" tags = [ "Domain: Cloud", + "Domain: Application", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Configuration Audit", diff --git a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index 9adf5eb2c41..d58e3efd29d 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -20,7 +20,7 @@ false_positives = [ from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index d137ca68a2e..998d5aa581d 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -17,7 +17,7 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -71,6 +71,7 @@ rule_id = "e0f36de1-0342-453d-95a9-a068b257b053" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Storage", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Log Auditing", diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 8e47fe39455..7302c9271bf 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -68,6 +68,7 @@ rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Security", "Data Source: Azure", "Data Source: Azure Activity Logs", "Tactic: Defense Evasion", diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index feacc960cd4..4754d5bb8af 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -18,7 +18,7 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -70,6 +70,7 @@ rule_id = "8b64d36a-1307-4b2e-a77b-a0027e4d27c8" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Container", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Log Auditing", diff --git a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index 82d0481d529..4d3aa21dd54 100644 --- a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -17,7 +17,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -67,6 +67,7 @@ rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", diff --git a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index 09c5552dfee..82fdbbfc48c 100644 --- a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -19,7 +19,7 @@ false_positives = [ is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -70,6 +70,7 @@ rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index af17eda4047..dacf16eca5b 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -18,7 +18,7 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -66,6 +66,7 @@ rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 60af7f6c4f0..fdac49c7b79 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -18,7 +18,7 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -71,6 +71,7 @@ rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" severity = "low" tags = [ "Domain: Cloud", + "Domain: Security", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Configuration Audit", diff --git a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index fd9049ff286..e3714d6455b 100644 --- a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -17,6 +17,7 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] +from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" @@ -65,6 +66,7 @@ rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Storage", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 62ac768f416..7a553e3485c 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -81,6 +81,7 @@ rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", "Data Source: Azure", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 87dc477d068..3d72b574448 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -64,7 +64,15 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Asset Visibility", + "Tactic: Discovery", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/execution_compute_vm_command_executed.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml index 8d1001a21d6..9547d91478e 100644 --- a/rules/integrations/azure/execution_compute_vm_command_executed.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -72,7 +72,15 @@ references = [ risk_score = 47 rule_id = "60884af6-f553-4a6c-af13-300047455491" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Endpoint", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Execution", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index dc23446e8bc..59ef2e2c374 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -66,7 +66,15 @@ references = [ risk_score = 47 rule_id = "83a1931d-8136-46fc-b7b9-2db4f639e014" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Container", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Asset Visibility", + "Tactic: Impact", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index 4976e324905..bc8b0c96499 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -69,7 +69,14 @@ references = [ risk_score = 47 rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Impact", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 9d198482820..da9e4d0756d 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -67,7 +67,16 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index 07f75b9dd42..60f5a006f5e 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -62,6 +62,7 @@ rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index df70194967b..9a2e4d62ccc 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -67,6 +67,7 @@ rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index 882c7045a18..d8243cf7f71 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -67,6 +67,7 @@ rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", diff --git a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index e018f808098..62db070e750 100644 --- a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -73,7 +73,10 @@ rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", diff --git a/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml b/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml index f657b0cb804..0a83d23b816 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml @@ -62,6 +62,7 @@ rule_id = "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f" severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection Logs", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index 97ee6a819be..4a69cb4056b 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -71,6 +71,7 @@ rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 42b1558e745..88edc0b532c 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -71,6 +71,7 @@ rule_id = "9e11faee-fddb-11ef-8257-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", diff --git a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index 4d8e1b1395a..37bf1d20a6e 100644 --- a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -69,7 +69,10 @@ rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index ac90b82ab5d..dd36afba47f 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -59,6 +59,7 @@ rule_id = "caaa8b78-367c-11f0-beb8-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 5ad9cbe5327..df1990ae511 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -80,6 +80,7 @@ rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd" severity = "low" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 4c7e93354cc..7da9f8d736e 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -62,7 +62,15 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml index e90674a5f08..0b994f78946 100644 --- a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml @@ -63,7 +63,15 @@ references = [ risk_score = 21 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index 7c20592eb6d..9a31991a035 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -63,7 +63,15 @@ references = [ risk_score = 21 rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index bf142beeae9..172ba46ee4f 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -72,6 +72,7 @@ rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 0e342a533ef..3faa472ecb8 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -62,7 +62,16 @@ references = [ risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml index fd1f9e9b764..b6f2f46c38a 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml @@ -64,7 +64,10 @@ rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index eecf6910070..d9b5a5edaf9 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -70,7 +70,16 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index f65195fc255..13604b48624 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -70,7 +70,10 @@ rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml index ede1d09319c..28eda67ae64 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml @@ -76,6 +76,7 @@ This rule requires the Azure integration with Microsoft Entra ID Audit Logs data severity = "low" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index d1f42031191..9f584a42c34 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -62,6 +62,7 @@ rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 1694a35cf48..84d592ea02f 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -57,7 +57,16 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 2f20448337f..3c8c10557ed 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -62,7 +62,16 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 8db81721d39..fd341df6c03 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -67,6 +67,7 @@ rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index fc2f3fb6412..7e465096c27 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -64,7 +64,11 @@ rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" tags = [ "Domain: Cloud", + "Domain: Identity", + "Domain: Container", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", From 1f3e5c2787c1294619ed5907b274e8ccd18b3704 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 29 Aug 2025 10:44:23 -0400 Subject: [PATCH 3/9] updated m365 rules --- ...ute_force_microsoft_365_repeat_source.toml | 2 +- ..._access_azure_o365_with_network_alert.toml | 2 +- ..._access_entra_id_brute_force_activity.toml | 2 +- ...d_device_code_auth_with_broker_client.toml | 2 +- ...s_entra_id_excessive_account_lockouts.toml | 2 +- ...a_id_first_time_seen_device_code_auth.toml | 2 +- ...a_id_signin_brute_force_microsoft_365.toml | 2 +- ...ial_access_entra_id_suspicious_signin.toml | 2 +- ...ss_entra_id_totp_brute_force_attempts.toml | 2 +- ...d_application_credential_modification.toml | 2 +- ...tra_id_oauth_user_impersonation_scope.toml | 2 +- ...a_id_protection_sign_in_risk_detected.toml | 2 +- ...ntra_id_protection_user_risk_detected.toml | 2 +- ...tra_id_rare_app_id_for_principal_auth.toml | 2 +- ...ous_oauth_flow_via_auth_broker_to_drs.toml | 2 +- ...change_excessive_mail_items_accessed.toml} | 3 +- ...lbox_access_by_unusual_client_app_id.toml} | 3 +- ...> collection_exchange_new_inbox_rule.toml} | 22 +++++++--- ...ion_onedrive_excessive_file_downloads.toml | 7 +-- ..._id_device_reg_via_oauth_redirection.toml} | 5 ++- ..._entra_id_excessive_account_lockouts.toml} | 6 ++- ...d_potential_user_account_brute_force.toml} | 3 +- ...a_id_user_excessive_sso_logon_errors.toml} | 10 ++--- ...n_entra_id_susp_oauth2_authorization.toml} | 9 ++-- ..._evasion_exchange_dlp_policy_removed.toml} | 11 ++--- ...nge_mailbox_audit_bypass_association.toml} | 20 ++++++--- ...hange_malware_filter_policy_deletion.toml} | 12 ++--- ...ion_exchange_malware_filter_rule_mod.toml} | 12 ++--- ...change_new_inbox_rule_delete_or_move.toml} | 3 +- ...n_exchange_safe_attach_rule_disabled.toml} | 12 ++--- ...ion_exchange_transport_rule_creation.toml} | 20 ++++++--- ...exchange_transport_rule_modification.toml} | 20 ++++++--- ...iance_mass_download_by_a_single_user.toml} | 19 +++++--- ...liance_potential_ransomware_activity.toml} | 19 +++++--- ...ance_unusual_volume_of_file_deletion.toml} | 19 +++++--- ...ent_grant_via_registered_application.toml} | 7 ++- ...a_id_impossible_travel_portal_logins.toml} | 44 ++++++++++++------- ..._id_oauth_phishing_via_vscode_client.toml} | 6 ++- ...a_id_portal_login_from_rare_location.toml} | 44 ++++++++++++------- ..._exchange_anti_phish_policy_deletion.toml} | 12 ++--- ...xchange_anti_phish_rule_modification.toml} | 12 ++--- ...exchange_exchange_safelinks_disabled.toml} | 12 ++--- ...ompliance_impossible_travel_activity.toml} | 23 ++++++---- ...mpliance_user_reported_phish_malware.toml} | 19 +++++--- ...e_user_restricted_from_sending_email.toml} | 11 ++--- ...l_movement_onedrive_malware_uploaded.toml} | 24 ++++++---- ...movement_sharepoint_malware_uploaded.toml} | 24 ++++++---- ..._id_global_administrator_role_assign.toml} | 16 +++---- ...xchange_dkim_signing_config_disabled.toml} | 19 +++++--- ..._exchange_management_role_assignment.toml} | 12 ++--- ...picious_mailbox_permission_delegation.toml | 38 +++++++++------- ...teams_custom_app_interaction_allowed.toml} | 21 ++++++--- ...stence_teams_external_access_enabled.toml} | 20 ++++++--- ...rsistence_teams_guest_access_enabled.toml} | 20 ++++++--- ...ge_new_or_modified_federation_domain.toml} | 13 +++--- 55 files changed, 416 insertions(+), 246 deletions(-) rename rules/integrations/o365/{collection_microsoft_365_excessive_mail_items_accessed.toml => collection_exchange_excessive_mail_items_accessed.toml} (99%) rename rules/integrations/o365/{collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml => collection_exchange_mailbox_access_by_unusual_client_app_id.toml} (99%) rename rules/integrations/o365/{collection_microsoft_365_new_inbox_rule.toml => collection_exchange_new_inbox_rule.toml} (93%) rename rules/integrations/o365/{credential_access_antra_id_device_reg_via_oauth_redirection.toml => credential_access_entra_id_device_reg_via_oauth_redirection.toml} (97%) rename rules/integrations/o365/{credential_access_microsoft_365_excessive_account_lockouts.toml => credential_access_entra_id_excessive_account_lockouts.toml} (97%) rename rules/integrations/o365/{credential_access_microsoft_365_potential_user_account_brute_force.toml => credential_access_entra_id_potential_user_account_brute_force.toml} (99%) rename rules/integrations/o365/{credential_access_user_excessive_sso_logon_errors.toml => credential_access_entra_id_user_excessive_sso_logon_errors.toml} (96%) rename rules/integrations/o365/{defense_evasion_microsoft_365_susp_oauth2_authorization.toml => defense_evasion_entra_id_susp_oauth2_authorization.toml} (96%) rename rules/integrations/o365/{defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml => defense_evasion_exchange_dlp_policy_removed.toml} (96%) rename rules/integrations/o365/{defense_evasion_microsoft_365_mailboxauditbypassassociation.toml => defense_evasion_exchange_mailbox_audit_bypass_association.toml} (94%) rename rules/integrations/o365/{defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml => defense_evasion_exchange_malware_filter_policy_deletion.toml} (96%) rename rules/integrations/o365/{defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml => defense_evasion_exchange_malware_filter_rule_mod.toml} (96%) rename rules/integrations/o365/{defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml => defense_evasion_exchange_new_inbox_rule_delete_or_move.toml} (98%) rename rules/integrations/o365/{defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml => defense_evasion_exchange_safe_attach_rule_disabled.toml} (96%) rename rules/integrations/o365/{exfiltration_microsoft_365_exchange_transport_rule_creation.toml => exfiltration_exchange_transport_rule_creation.toml} (93%) rename rules/integrations/o365/{exfiltration_microsoft_365_exchange_transport_rule_mod.toml => exfiltration_exchange_transport_rule_modification.toml} (94%) rename rules/integrations/o365/{exfiltration_microsoft_365_mass_download_by_a_single_user.toml => exfiltration_security_compliance_mass_download_by_a_single_user.toml} (93%) rename rules/integrations/o365/{impact_microsoft_365_potential_ransomware_activity.toml => impact_security_compliance_potential_ransomware_activity.toml} (93%) rename rules/integrations/o365/{impact_microsoft_365_unusual_volume_of_file_deletion.toml => impact_security_compliance_unusual_volume_of_file_deletion.toml} (93%) rename rules/integrations/o365/{initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml => initial_access_entra_id_illicit_consent_grant_via_registered_application.toml} (98%) rename rules/integrations/o365/{initial_access_microsoft_365_impossible_travel_portal_logins.toml => initial_access_entra_id_impossible_travel_portal_logins.toml} (94%) rename rules/integrations/o365/{initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml => initial_access_entra_id_oauth_phishing_via_vscode_client.toml} (98%) rename rules/integrations/o365/{initial_access_microsoft_365_portal_login_from_rare_location.toml => initial_access_entra_id_portal_login_from_rare_location.toml} (94%) rename rules/integrations/o365/{initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml => initial_access_exchange_anti_phish_policy_deletion.toml} (96%) rename rules/integrations/o365/{initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml => initial_access_exchange_anti_phish_rule_modification.toml} (96%) rename rules/integrations/o365/{initial_access_microsoft_365_exchange_safelinks_disabled.toml => initial_access_exchange_exchange_safelinks_disabled.toml} (96%) rename rules/integrations/o365/{initial_access_microsoft_365_impossible_travel_activity.toml => initial_access_security_compliance_impossible_travel_activity.toml} (94%) rename rules/integrations/o365/{initial_access_o365_user_reported_phish_malware.toml => initial_access_security_compliance_user_reported_phish_malware.toml} (94%) rename rules/integrations/o365/{initial_access_microsoft_365_user_restricted_from_sending_email.toml => initial_access_security_compliance_user_restricted_from_sending_email.toml} (96%) rename rules/integrations/o365/{lateral_movement_malware_uploaded_onedrive.toml => lateral_movement_onedrive_malware_uploaded.toml} (92%) rename rules/integrations/o365/{lateral_movement_malware_uploaded_sharepoint.toml => lateral_movement_sharepoint_malware_uploaded.toml} (92%) rename rules/integrations/o365/{persistence_microsoft_365_global_administrator_role_assign.toml => persistence_entra_id_global_administrator_role_assign.toml} (90%) rename rules/integrations/o365/{persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml => persistence_exchange_dkim_signing_config_disabled.toml} (95%) rename rules/integrations/o365/{persistence_microsoft_365_exchange_management_role_assignment.toml => persistence_exchange_management_role_assignment.toml} (96%) rename rules/integrations/o365/{persistence_microsoft_365_teams_custom_app_interaction_allowed.toml => persistence_teams_custom_app_interaction_allowed.toml} (93%) rename rules/integrations/o365/{persistence_microsoft_365_teams_external_access_enabled.toml => persistence_teams_external_access_enabled.toml} (93%) rename rules/integrations/o365/{persistence_microsoft_365_teams_guest_access_enabled.toml => persistence_teams_guest_access_enabled.toml} (94%) rename rules/integrations/o365/{privilege_escalation_new_or_modified_federation_domain.toml => privilege_escalation_exchange_new_or_modified_federation_domain.toml} (96%) diff --git a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml index f5050278864..7c0b6ea3668 100644 --- a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +++ b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml @@ -72,7 +72,7 @@ tags = [ "Domain: Cloud", "Domain: SaaS", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index d2cd0b2744f..857ecc63a8a 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -63,7 +63,7 @@ tags = [ "Domain: Cloud", "Domain: SaaS", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index f73ddb74b5d..907e0428769 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -79,7 +79,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml index 77bd2f20cba..c9a2242c5f4 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -29,7 +29,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index bf50bebf762..36bf103d780 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -73,7 +73,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml index 91c1f10e39d..e248acd3959 100644 --- a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml @@ -88,7 +88,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", diff --git a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index 7a0d51a67fd..da9532b873d 100644 --- a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -77,7 +77,7 @@ tags = [ "Domain: SaaS", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index 628ee967c08..f62de0b6c39 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -59,7 +59,7 @@ tags = [ "Domain: Identity", "Domain: SaaS", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index 3223c985eeb..49dc3e1f756 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -74,7 +74,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index d58e3efd29d..4a1f45d2945 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -74,7 +74,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml index 6b74b89e928..c4162467600 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml @@ -67,7 +67,7 @@ tags = [ "Domain: Identity", "Use Case: Threat Detection", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Tactic: Defense Evasion", "Tactic: Initial Access", diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 162d7bf2538..d3af3f1816f 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -82,7 +82,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 2d9f32622e2..8110b7bc7e9 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -79,7 +79,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index 4a69cb4056b..dddd37296a8 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -73,7 +73,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index c6c561b7f8d..82ab6c23cb8 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -78,7 +78,7 @@ tags = [ "Domain: Cloud", "Domain: Identity", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Data Source: Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml similarity index 99% rename from rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml rename to rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml index 3034875b979..da1a94b4a60 100644 --- a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["o365"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -69,6 +69,7 @@ tags = [ "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml similarity index 99% rename from rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml rename to rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index fdf041d01f1..7d444e2212f 100644 --- a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/06/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -69,6 +69,7 @@ tags = [ "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml similarity index 93% rename from rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml rename to rules/integrations/o365/collection_exchange_new_inbox_rule.toml index 6b301294b2e..a2d4c305dfd 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -18,7 +18,7 @@ false_positives = [ policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -28,7 +28,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Inbox Forwarding Rule Created +### Investigating M365 Exchange Inbox Forwarding Rule Created Microsoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities. @@ -59,9 +59,7 @@ Microsoft 365 allows users to create inbox rules to automate email management, s - Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes. - Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", @@ -71,7 +69,17 @@ references = [ risk_score = 47 rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", + "Use Case: Configuration Audit", + "Tactic: Collection", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index 37d9710d3a5..ed31811c49f 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ false_positives = [ """, ] from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" name = "M365 OneDrive Excessive File Downloads with OAuth Token" @@ -69,8 +70,8 @@ tags = [ "Domain: Cloud", "Domain: SaaS", "Data Source: Microsoft 365", - "Data Source: SharePoint", - "Data Source: OneDrive", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft OneDrive", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Exfiltration", diff --git a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml similarity index 97% rename from rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml rename to rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index 388c77b5c31..670ada7e8fb 100644 --- a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365.audit-*"] interval = "15m" language = "eql" license = "Elastic License v2" -name = "M365 Entra ID OAuth Redirect to Device Registration for User Principal" +name = "M365 Entra ID User OAuth Redirect to Device Registration" note = """## Triage and analysis ### Investigating M365 Entra ID OAuth Redirect to Device Registration for User Principal @@ -56,6 +56,7 @@ tags = [ "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml similarity index 97% rename from rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml rename to rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml index 93e31322098..c48f55f140f 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -11,9 +11,10 @@ Detects a burst of Microsoft 365 user account lockouts within a short 5-minute w errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts. """ from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" -name = "M365 Entra ID Multiple User Account Lockouts in Short Time Window" +name = "M365 Entra ID Multiple User Account Lockouts" note = """## Triage and Analysis ### Investigating Multiple Microsoft 365 User Account Lockouts in Short Time Window @@ -64,6 +65,7 @@ tags = [ "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml similarity index 99% rename from rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml rename to rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml index 536a1865acd..d529d1146df 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -70,6 +70,7 @@ tags = [ "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml similarity index 96% rename from rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml rename to rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml index f2a1d6d672c..a7a8b489ec7 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Austin Songer"] @@ -16,7 +16,7 @@ false_positives = [ positives. """, ] -from = "now-20m" +from = "now-30m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,9 +57,7 @@ Single Sign-On (SSO) in O365 streamlines user access by allowing one set of cred - Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems have been compromised. - Update and enhance monitoring rules to detect similar patterns of excessive SSO logon errors, ensuring early detection of potential brute force attempts. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" @@ -68,6 +66,8 @@ tags = [ "Domain: SaaS", "Domain: Identity", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml rename to rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 0cb4d39b9f1..4ce51df43b3 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -48,17 +48,16 @@ references = [ ] risk_score = 73 rule_id = "36188365-f88f-4f70-8c1d-0b9554186b9c" -setup = """## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" +setup = "" severity = "high" tags = [ "Domain: Cloud", + "Domain: SaaS", "Domain: Email", "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml rename to rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index bfe5a573262..2d65b0d2a60 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -56,9 +56,7 @@ Data Loss Prevention (DLP) in Microsoft 365 Exchange is crucial for safeguarding - Implement enhanced monitoring and alerting for similar events, focusing on unauthorized changes to security policies and configurations. - Review and strengthen access controls and permissions for accounts with the ability to modify DLP policies to prevent unauthorized changes in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide", @@ -70,7 +68,10 @@ tags = [ "Domain: Cloud", "Domain: SaaS", "Domain: Email", + "Domain: Compliance", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml similarity index 94% rename from rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml rename to rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 54a64a4a9a2..9b6e0f57231 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ Attackers can abuse this allowlist mechanism to conceal actions taken, as the ma the account. """ false_positives = ["Legitimate allowlisting of noisy accounts"] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,14 +57,22 @@ In Microsoft 365 environments, mailbox audit logging is crucial for tracking use - Implement additional monitoring for similar bypass attempts to enhance detection capabilities and prevent recurrence. - Consider escalating the incident to a higher security tier or external cybersecurity experts if the scope of the breach is extensive or if internal resources are insufficient to handle the threat. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Domain: Cloud", "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rename to rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index fda196637fb..45ee8154dcd 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,9 +58,7 @@ Microsoft 365 Exchange uses malware filter policies to detect and alert administ - Implement additional monitoring on the affected account and related systems to detect any further suspicious activities or attempts to bypass security measures. - Review and update security policies and configurations to ensure they are robust against similar evasion tactics in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps", ] @@ -69,7 +67,11 @@ rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml rename to rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index d77e43cc252..badac2f8f3c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -56,9 +56,7 @@ Microsoft 365 Exchange uses malware filter rules to protect email systems by ide - Review and update access controls and permissions for administrative actions within Microsoft 365 to limit the ability to modify security configurations to only essential personnel. - Document the incident, including actions taken and lessons learned, to improve future response efforts and update incident response plans accordingly. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps", @@ -68,7 +66,11 @@ rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml similarity index 98% rename from rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml rename to rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index 7dd793fd8ee..b0f1a9b0034 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Jamie Lee"] @@ -75,6 +75,7 @@ tags = [ "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml rename to rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index cedfe0b03f1..575c1a0d049 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,9 +57,7 @@ Microsoft 365's Safe Attachment feature enhances security by analyzing email att - Review and update access controls and permissions to ensure that only authorized personnel can modify security rules and configurations. - Conduct a post-incident analysis to identify the root cause and implement measures to prevent similar incidents, such as enhancing alerting mechanisms for critical security rule changes. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps", ] @@ -68,7 +66,11 @@ rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml similarity index 93% rename from rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index 14c7fd941a1..1289f6b561a 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,9 +57,7 @@ Microsoft 365 Exchange transport rules automate email handling, applying actions - Escalate the incident to the incident response team if there is evidence of a broader compromise or if sensitive data has been exfiltrated. - Implement enhanced monitoring and alerting for transport rule changes to detect and respond to similar threats more effectively in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", @@ -67,7 +65,17 @@ references = [ risk_score = 47 rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml similarity index 94% rename from rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index 79e715ecd1b..48dae3fee82 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,9 +57,7 @@ Microsoft 365 Exchange transport rules manage email flow by setting conditions a - Coordinate with legal and compliance teams to determine if any regulatory reporting is required due to potential data exfiltration. - Enhance security measures by enabling multi-factor authentication (MFA) for all administrative accounts and reviewing access permissions to ensure the principle of least privilege is enforced. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", @@ -68,7 +66,17 @@ references = [ risk_score = 47 rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml similarity index 93% rename from rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml rename to rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml index 072a67c80d8..25a1a78b5ce 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml @@ -2,13 +2,13 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute." false_positives = ["Unknown"] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -48,9 +48,6 @@ Microsoft 365 provides cloud-based productivity tools, enabling users to access - Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activities. - Review and update access controls and data download policies to prevent similar incidents in the future, ensuring that only necessary permissions are granted to users. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -59,7 +56,17 @@ references = [ risk_score = 47 rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Security and Compliance Center", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml similarity index 93% rename from rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml rename to rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index d007ca0602f..93ab36b3a8c 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -16,7 +16,7 @@ false_positives = [ represent an adverse encryption process. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,9 +58,6 @@ Microsoft 365's cloud services can be exploited by adversaries to distribute ran - Review and update access controls and permissions for the affected user and related accounts to minimize the risk of future incidents. - Escalate the incident to senior security management and, if necessary, involve legal or compliance teams to assess any regulatory implications. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -69,7 +66,17 @@ references = [ risk_score = 47 rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Security and Compliance Center", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml similarity index 93% rename from rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml rename to rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index 1d9a3605e08..2a9603c25f2 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -2,13 +2,13 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security." false_positives = ["Users or System Administrator cleaning out folders."] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -49,9 +49,6 @@ Microsoft 365's cloud environment facilitates file storage and collaboration, bu - Review and update access controls and permissions to ensure that users have the minimum necessary access to perform their job functions, reducing the risk of large-scale deletions. - Coordinate with the IT and security teams to conduct a post-incident review, identifying any gaps in the response process and implementing improvements to prevent recurrence. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -60,7 +57,17 @@ references = [ risk_score = 47 rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Security and Compliance Center", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 98% rename from rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index cfd56968ea8..f5822517b3f 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -81,8 +81,11 @@ rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", @@ -141,7 +144,7 @@ field_names = [ "o365.audit.Target.Type", "o365.audit.ModifiedProperties.ConsentAction_Reason.NewValue", "o365.audit.ExtendedProperties.additionalDetails", - "cloud.region" + "cloud.region", ] [rule.new_terms] diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_entra_id_impossible_travel_portal_logins.toml similarity index 94% rename from rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml rename to rules/integrations/o365/initial_access_entra_id_impossible_travel_portal_logins.toml index deef83c6d8c..6b38b1e1e39 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml +++ b/rules/integrations/o365/initial_access_entra_id_impossible_travel_portal_logins.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -23,22 +23,6 @@ index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "M365 Entra ID Portal Logins from Impossible Travel Locations" -references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] -risk_score = 47 -rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc" -severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -event.dataset: "o365.audit" - and event.provider: "AzureActiveDirectory" - and event.action: "UserLoggedIn" - and event.outcome: "success" - and not o365.audit.UserId: "Not Available" - and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") -''' note = """## Triage and analysis > **Disclaimer**: @@ -74,6 +58,32 @@ Microsoft 365's cloud-based services enable global access, but this can be explo - Escalate the incident to the security operations team for further investigation and to determine if other accounts or systems have been compromised. - Implement geo-blocking for high-risk countries or regions where the organization does not typically conduct business to prevent similar unauthorized access attempts. - Update and refine security monitoring rules to enhance detection of similar anomalous login patterns in the future.""" +references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] +risk_score = 47 +rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.dataset: "o365.audit" + and event.provider: "AzureActiveDirectory" + and event.action: "UserLoggedIn" + and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") +''' [[rule.threat]] diff --git a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml similarity index 98% rename from rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml rename to rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index c5f68800a9d..ba025b80bb9 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ redirect location, prompting victims to return an OAuth authorization code that rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -70,8 +70,10 @@ severity = "medium" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_from_rare_location.toml similarity index 94% rename from rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml rename to rules/integrations/o365/initial_access_entra_id_portal_login_from_rare_location.toml index 7026fc88226..8359613dcc2 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_from_rare_location.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -21,22 +21,6 @@ index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "M365 Entra ID Portal Login from Rare Location" -references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] -risk_score = 47 -rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc" -severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide"] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.dataset: "o365.audit" - and event.provider: "AzureActiveDirectory" - and event.action: "UserLoggedIn" - and event.outcome: "success" - and not o365.audit.UserId: "Not Available" - and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") -''' note = """## Triage and analysis > **Disclaimer**: @@ -73,6 +57,32 @@ Microsoft 365 is a cloud-based suite offering productivity tools accessible from - If unauthorized access is confirmed, initiate a security incident response plan, including data breach notification procedures if necessary. - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems or accounts are compromised. - Implement geo-blocking or conditional access policies to restrict access from rare or high-risk locations, reducing the likelihood of similar incidents in the future.""" +references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"] +risk_score = 47 +rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "o365.audit" + and event.provider: "AzureActiveDirectory" + and event.action: "UserLoggedIn" + and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") +''' [[rule.threat]] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml rename to rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml index 82ad331d91e..39aa873e64d 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,9 +58,7 @@ Microsoft 365's anti-phishing policies enhance security by fine-tuning detection - Escalate the incident to the incident response team if there is evidence of broader compromise or if sensitive data has been accessed. - Implement enhanced monitoring and alerting for similar actions in the future to quickly detect and respond to any further attempts to delete security policies. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", @@ -70,7 +68,11 @@ rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml rename to rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml index 242c506b1e4..6b94fdd839b 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,9 +58,7 @@ Microsoft 365's anti-phishing rules are crucial for safeguarding users against p - Implement enhanced monitoring and alerting for any further attempts to modify anti-phishing rules, ensuring that similar activities are detected promptly. - Review and update access controls and permissions for administrative actions within Microsoft 365 to ensure that only authorized personnel can modify security settings. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps", @@ -70,7 +68,11 @@ rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rename to rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml index 10226b1eff7..baff9ed0e0e 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -56,9 +56,7 @@ Microsoft 365's Safe Link policies enhance security by scanning hyperlinks in do - Implement additional monitoring and alerting for changes to Safe Link policies to ensure rapid detection of any future unauthorized modifications. - Review and update access controls and permissions related to Safe Link policy management to ensure only authorized personnel can make changes. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide", @@ -68,7 +66,11 @@ rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml similarity index 94% rename from rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml rename to rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml index 84f9c360a1a..501c1b72f9a 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -11,7 +11,7 @@ Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt impossible travel. """ false_positives = ["User using a VPN may lead to false positives."] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -62,19 +62,25 @@ This rule is no longer applicable based on changes to Microsoft Defender for Off Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy """ -setup = """ -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", ] risk_score = 47 rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d" +setup = "" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", + "Use Case: Configuration Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" @@ -95,3 +101,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml similarity index 94% rename from rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml rename to rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index dce2fb76bd5..1c453da50ef 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ malicious message. Educating users to report suspicious messages can help identi malware infections and Business Email Compromise attacks. """ false_positives = ["Legitimate files reported by the users"] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -54,16 +54,23 @@ Microsoft 365's email services are integral to business communication, but they - Review and update email filtering and security policies to address any identified gaps that allowed the malicious email to bypass existing controls. - Monitor for any further suspicious activity related to the incident, using enhanced logging and alerting mechanisms to detect similar threats in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us", ] risk_score = 47 rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Security and Compliance Center", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml rename to rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index d9a5cb219b7..7601145730a 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -11,7 +11,7 @@ Identifies when a user has been restricted from sending email due to exceeding s per the Security Compliance Center. """ false_positives = ["A user sending emails using personal distribution folders may trigger the event."] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -51,9 +51,6 @@ Microsoft 365 enforces email sending limits to prevent abuse and ensure service - Implement additional email filtering rules to block similar phishing or spam patterns identified in the incident to prevent recurrence. - Update and enhance detection rules and monitoring to quickly identify and respond to similar threats in the future, leveraging insights from the current incident. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -64,7 +61,11 @@ rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Compliance", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Security and Compliance Center", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml similarity index 92% rename from rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml rename to rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index c36245bfe2a..95f8a8e14dd 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ Users can inadvertently share these files without knowing their maliciousness, g initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "OneDrive Malware File Upload" +name = "M365 OneDrive Malware File Upload" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating OneDrive Malware File Upload +### Investigating M365 OneDrive Malware File Upload OneDrive, a cloud storage service, facilitates file sharing and collaboration within organizations. However, adversaries can exploit this by uploading malware, which can spread across shared environments, leading to lateral movement within a network. The detection rule identifies such threats by monitoring OneDrive activities for malware detection events, focusing on file operations flagged by Microsoft's security engine. This proactive approach helps in identifying and mitigating potential breaches. @@ -55,16 +55,24 @@ OneDrive, a cloud storage service, facilitates file sharing and collaboration wi - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if any lateral movement or additional compromise has occurred. - Implement enhanced monitoring and alerting for similar OneDrive activities to quickly detect and respond to any future malware uploads or related threats. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] risk_score = 73 rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft OneDrive", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml similarity index 92% rename from rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml rename to rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 03d908c6935..3fbe5d17235 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ access. Users can inadvertently share these files without knowing their maliciou to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "SharePoint Malware File Upload" +name = "M365 SharePoint Malware File Upload" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SharePoint Malware File Upload +### Investigating M365 SharePoint Malware File Upload SharePoint, a collaborative platform, facilitates file sharing and storage within organizations. Adversaries exploit this by uploading malware, leveraging the platform's sharing capabilities to propagate threats laterally. The detection rule identifies when SharePoint's file scanning engine flags an upload as malicious, focusing on specific audit events to alert security teams of potential lateral movement threats. @@ -54,16 +54,24 @@ SharePoint, a collaborative platform, facilitates file sharing and storage withi - Escalate the incident to the incident response team if there are signs of lateral movement or if the malware has spread to other parts of the network, following the organization's escalation protocols. - Implement enhanced monitoring and logging for SharePoint and related services to detect any future attempts to upload or share malicious files, leveraging the specific query fields used in the detection rule. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] risk_score = 73 rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: SharePoint", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml similarity index 90% rename from rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml rename to rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index b75e04416ac..36fa6fac792 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,16 +2,16 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/29" [rule] author = ["Elastic"] description = """ -In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator -is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID -identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and -Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all -subscriptions and their settings and resources. +In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company +Administrator is a role that enables users to have access to all administrative features in Entra ID and services that +use Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, +SharePoint Online, and Skype for Business Online. Adversaries can add users as Global Administrators to maintain access +and manage all subscriptions and their settings and resources. """ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] @@ -51,11 +51,10 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative - Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles. - Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups. """ - references = [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", "https://learn.microsoft.com/en-us/purview/audit-log-activities", - "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231" + "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231", ] risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" @@ -65,6 +64,7 @@ tags = [ "Domain: SaaS", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml similarity index 95% rename from rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml rename to rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml index 346e7c00e3f..ce5f8f1db5f 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,16 +58,23 @@ DomainKeys Identified Mail (DKIM) is a security protocol that ensures email auth - Escalate the incident to the organization's incident response team for further investigation and to determine if any additional security measures are necessary. - Consider implementing additional email security measures, such as SPF and DMARC, to complement DKIM and enhance overall email security posture. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps", ] risk_score = 47 rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml similarity index 96% rename from rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml rename to rules/integrations/o365/persistence_exchange_management_role_assignment.toml index f9c17469f35..5401cc4c669 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -57,9 +57,7 @@ Microsoft 365 Exchange Management roles define permissions for managing Exchange - Review and update access control policies to ensure that only authorized personnel can assign management roles in Microsoft 365. - Consider conducting a security awareness session for administrators to reinforce the importance of monitoring and managing role assignments securely. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", @@ -69,7 +67,11 @@ rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 9d74ed6e189..c11adc3992f 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/05/07" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Austin Songer"] @@ -13,15 +13,16 @@ evade spam/phishing detection mechanisms. """ false_positives = [ "Assignment of rights to a service account.", - "Delegation by first-party applications that require mailbox access." + "Delegation by first-party applications that require mailbox access.", ] +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Exchange Suspicious Mailbox Permission Delegation" +name = "M365 Exchange Suspicious Mailbox Permission Delegation" note = """## Triage and Analysis -### Investigating Suspicious Mailbox Permission Delegation in Exchange Online +### Investigating M365 Exchange Suspicious Mailbox Permission Delegation This rule detects the delegation of mailbox permissions in Microsoft 365 Exchange. This behavior may indicate that an adversary is attempting to gain access to another user's mailbox or send messages on behalf of that user. @@ -68,7 +69,7 @@ If the delegation is determined to be unauthorized or suspicious: - Harden delegation policies by requiring approvals, limiting delegation to specific groups, or implementing Just-in-Time (JIT) access for mailboxes. """ references = [ - "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide" + "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide", ] risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" @@ -76,12 +77,14 @@ severity = "low" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft Exchange", "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" @@ -103,16 +106,6 @@ not user.id:( ) ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "o365.audit.ObjectId", - "o365.audit.Parameters.Identity", - "user.id", - "source.ip", - "user_agent.original", - "event.action", -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -132,9 +125,22 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "o365.audit.ObjectId", + "o365.audit.Parameters.Identity", + "user.id", + "source.ip", + "user_agent.original", + "event.action", +] + [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml similarity index 93% rename from rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml rename to rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml index f7b69d6a78d..f3c97e292ff 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -27,7 +27,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Teams Custom Application Interaction Allowed +### Investigating M365 Teams Custom Application Interaction Allowed Microsoft Teams allows organizations to enhance functionality by integrating custom applications, which can be developed and uploaded beyond the standard app store offerings. While beneficial for tailored solutions, this capability can be exploited by adversaries to maintain unauthorized access. The detection rule monitors changes in tenant settings that permit custom app interactions, flagging successful modifications as potential persistence threats. @@ -59,14 +59,21 @@ Microsoft Teams allows organizations to enhance functionality by integrating cus - Implement additional monitoring and alerting for changes to Microsoft Teams settings to quickly detect and respond to similar threats in the future. - Review and update the organization's security policies and procedures regarding the use of custom applications in Microsoft Teams to ensure they align with best practices and mitigate the risk of similar incidents. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Teams", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_teams_external_access_enabled.toml similarity index 93% rename from rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml rename to rules/integrations/o365/persistence_teams_external_access_enabled.toml index 635c38225d1..629ecd8b6a0 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -58,14 +58,22 @@ Microsoft Teams' external access feature allows users to communicate with indivi - Escalate the incident to the incident response team if there is evidence of data exfiltration or if the scope of the breach is unclear. - Implement enhanced monitoring and alerting for changes in Teams federation settings to detect similar threats in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Teams", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml similarity index 94% rename from rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml rename to rules/integrations/o365/persistence_teams_guest_access_enabled.toml index 4199e23cae8..972003b30a5 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" @@ -56,16 +56,24 @@ Microsoft Teams allows organizations to collaborate with external users through - Escalate the incident to the organization's incident response team for a comprehensive investigation and to determine if further containment actions are necessary. - Review and update access control policies to ensure that enabling guest access requires appropriate authorization and oversight. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps", ] risk_score = 47 rule_id = "5e552599-ddec-4e14-bad1-28aa42404388" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Teams", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml similarity index 96% rename from rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml rename to rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 1f13033186e..cbe1de17306 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -10,10 +10,11 @@ description = """ Identifies a new or modified federation domain, which can be used to create a trust between M365 and an external identity provider. """ +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Entra ID New or Modified Federation Domain" +name = "M365 Exchange New or Modified Federation Domain" note = """## Triage and analysis > **Disclaimer**: @@ -50,9 +51,7 @@ Federation domains enable trust between Office 365 and external identity provide - Communicate with affected stakeholders and provide guidance on any immediate actions they need to take, such as password resets or additional authentication steps. - Review and update federation domain policies and configurations to ensure they align with best practices and reduce the risk of similar incidents in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", @@ -66,7 +65,11 @@ rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" tags = [ "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", From d481dad03b3c1a5f1b7bdb969021026c25742778 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 29 Aug 2025 10:47:09 -0400 Subject: [PATCH 4/9] removed deprecated rule change --- ...tra_signin_brute_force_microsoft_365_repeat_source.toml | 2 +- .../initial_access_azure_o365_with_network_alert.toml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml index 7c0b6ea3668..f5050278864 100644 --- a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +++ b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml @@ -72,7 +72,7 @@ tags = [ "Domain: Cloud", "Domain: SaaS", "Data Source: Azure", - "Data Source: Microsoft Entra ID", + "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 857ecc63a8a..8eecad7cb6e 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/07/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,12 +17,13 @@ false_positives = [ """, ] from = "now-60m" +interval = "59m" language = "esql" license = "Elastic License v2" -name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source" +name = "M365 or Entra ID Sign-in from a Suspicious Source" note = """## Triage and analysis -### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source +### Investigating M365 or Entra ID Sign-in from a Suspicious Source #### Possible investigation steps From 29b3cb734f58633f6d2dabec91f093059ea274f7 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 2 Sep 2025 09:33:28 -0400 Subject: [PATCH 5/9] resolving conflicts --- ...ingle_session_from_multiple_addresses.toml | 63 ++++++++++++++----- 1 file changed, 49 insertions(+), 14 deletions(-) diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index a9dcb204c3d..297d460ce10 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2025/09/02" [rule] @@ -93,11 +93,11 @@ query = ''' from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index | where (event.dataset == "azure.signinlogs" - and source.`as`.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK" + and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" and azure.signinlogs.properties.session_id is not null) or (event.dataset == "azure.graphactivitylogs" - and source.`as`.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK" + and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" and azure.graphactivitylogs.properties.c_sid is not null) | eval @@ -110,45 +110,80 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers event.dataset == "azure.signinlogs", "signin", event.dataset == "azure.graphactivitylogs", "graph", "other" - ), - Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp) + ) + +| where Esql.azure_signinlogs_properties_app_id_coalesce not in ( + "4354e225-50c9-4423-9ece-2d5afd904870", // Augmentation Loop + "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe", // Microsoft Teams Services + "ecd6b820-32c2-49b6-98a6-444530e5a77a", // Microsoft Edge [Community Contributed] + "e8be65d6-d430-4289-a665-51bf2a194bda", // Microsoft 365 App Catalog Services + "ab9b8c07-8f02-4f72-87fa-80105867a763", // OneDrive SyncEngine + "394866fc-eedb-4f01-8536-3ff84b16be2a", // Microsoft People Cards Service + "66a88757-258c-4c72-893c-3e8bed4d6899", // Office 365 Search Service + "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7", // Bing + "d7b530a4-7680-4c23-a8bf-c52c121d2e87", // Microsoft Edge Enterprise New Tab Page [Community Contributed] + "6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3", // Microsoft Application Command Service [Community Contributed] + "52c2e0b5-c7b6-4d11-a89c-21e42bcec444", // Graph Files Manager + "27922004-5251-4030-b22d-91ecd9a37ea4", // Outlook Mobile + "bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce", // Olympus [Community Contributed] + "26a7ee05-5602-4d76-a7ba-eae8b7b67941", // Windows Search + "66a88757-258c-4c72-893c-3e8bed4d6899", // Office 365 Search Service + "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7", // Bing + "d7b530a4-7680-4c23-a8bf-c52c121d2e87", // Microsoft Edge Enterprise New Tab Page [Community Contributed] + "00000007-0000-0000-c000-000000000000", // Dataverse + "6bc3b958-689b-49f5-9006-36d165f30e00", // Teams CMD Services Artifacts + "0ec893e0-5785-4de6-99da-4ed124e5296c", // Office UWP PWA [Community Contributed] + "fc108d3f-543d-4374-bbff-c7c51f651fe5", // Zoom + "01fc33a7-78ba-4d2f-a4b7-768e336e890e" // MS PIM + ) | keep Esql.azure_signinlogs_properties_session_id_coalesce, Esql.source_ip, Esql.@timestamp, Esql.event_type_case, - Esql.time_window_date_trunc, Esql.azure_signinlogs_properties_user_id_coalesce, - Esql.azure_signinlogs_properties_app_id_coalesce + Esql.azure_signinlogs_properties_app_id_coalesce, + source.`as`.organization.name, + user_agent.original, + url.original, + azure.graphactivitylogs.properties.scopes, + azure.signinlogs.properties.user_principal_name | stats Esql.azure_signinlogs_properties_user_id_coalesce_values = values(Esql.azure_signinlogs_properties_user_id_coalesce), Esql.azure_signinlogs_properties_session_id_coalesce_values = values(Esql.azure_signinlogs_properties_session_id_coalesce), + Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name), Esql.source_ip_values = values(Esql.source_ip), Esql.source_ip_count_distinct = count_distinct(Esql.source_ip), + Esql.source_as_organization_name_values = values(source.`as`.organization.name), + Esql.user_agent_original_values = values(user_agent.original), Esql.azure_signinlogs_properties_app_id_coalesce_values = values(Esql.azure_signinlogs_properties_app_id_coalesce), Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct = count_distinct(Esql.azure_signinlogs_properties_app_id_coalesce), Esql.event_type_case_values = values(Esql.event_type_case), Esql.event_type_case_count_distinct = count_distinct(Esql.event_type_case), - Esql.@timestamp.min = min(Esql.@timestamp), - Esql.@timestamp.max = max(Esql.@timestamp), Esql.signin_time_min = min(case(Esql.event_type_case == "signin", Esql.@timestamp, null)), Esql.graph_time_min = min(case(Esql.event_type_case == "graph", Esql.@timestamp, null)), + Esql.url_original_values = values(url.original), + Esql.azure_graphactivitylogs_properties_scopes_values = values(azure.graphactivitylogs.properties.scopes), Esql.event_count = count() - by Esql.azure_signinlogs_properties_session_id_coalesce, Esql.time_window_date_trunc + by + Esql.azure_signinlogs_properties_session_id_coalesce, + Esql.azure_signinlogs_properties_app_id_coalesce, + Esql.azure_signinlogs_properties_user_id_coalesce | eval - Esql.event_duration_minutes_date_diff = date_diff("minutes", Esql.@timestamp.min, Esql.@timestamp.max), - Esql.event_signin_to_graph_delay_minutes_date_diff = date_diff("minutes", Esql.signin_time_min, Esql.graph_time_min) + Esql.event_signin_to_graph_delay_minutes_date_diff = date_diff("minutes", Esql.signin_time_min, Esql.graph_time_min), + Esql.event_signin_to_graph_delay_days_date_diff = date_diff("days", Esql.signin_time_min, Esql.graph_time_min) | where Esql.event_type_case_count_distinct > 1 and Esql.source_ip_count_distinct > 1 and - Esql.event_duration_minutes_date_diff <= 5 and + Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct == 1 and Esql.signin_time_min is not null and Esql.graph_time_min is not null and - Esql.event_signin_to_graph_delay_minutes_date_diff >= 0 + Esql.event_signin_to_graph_delay_minutes_date_diff >= 0 and + Esql.event_signin_to_graph_delay_days_date_diff == 0 ''' From 78476c3990a287a9961de0e9717e7991fc42d407 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 2 Sep 2025 09:44:03 -0400 Subject: [PATCH 6/9] resolving conflicts --- ...ingle_session_from_multiple_addresses.toml | 2 +- ..._entra_id_mfa_disabled_for_azure_user.toml | 115 ------------------ ...stence_entra_id_mfa_disabled_for_user.toml | 12 -- 3 files changed, 1 insertion(+), 128 deletions(-) delete mode 100644 rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 9f0c6004de2..5fdf60ae6b2 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/09/02" [rule] diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml deleted file mode 100644 index c3338d3e982..00000000000 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml +++ /dev/null @@ -1,115 +0,0 @@ -[metadata] -creation_date = "2020/08/20" -integration = ["azure"] -maturity = "production" -<<<<<<<< HEAD:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml -updated_date = "2025/08/28" -======== -updated_date = "2025/08/29" ->>>>>>>> main:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml - -[rule] -author = ["Elastic"] -description = """ -Identifies when multi-factor authentication (MFA) is disabled for an Entra ID user account. An adversary may disable MFA -for a user account in order to weaken the authentication requirements for the account. -""" -from = "now-9m" -index = ["filebeat-*", "logs-azure.auditlogs-*"] -language = "kuery" -license = "Elastic License v2" -<<<<<<<< HEAD:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml -name = "Entra ID MFA Disabled for User Principal" -note = """## Triage and analysis - -### Investigating Entra ID MFA Disabled for User Principal -======== -name = "Entra ID MFA Disabled for User" -note = """## Triage and analysis - -### Investigating Entra ID MFA Disabled for User ->>>>>>>> main:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml - -Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. - -If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate. - -For more information about using MFA in Microsoft Entra ID, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication). - -This rule identifies the deactivation of MFA for an Entra ID user account. This modification weakens account security and can lead to the compromise of accounts and other assets. - -#### Possible investigation steps - -- Identify the user account that performed the action and whether it should perform this kind of action. -- Investigate other alerts associated with the user account during the past 48 hours. -- Contact the account and resource owners and confirm whether they are aware of this activity. -- Correlate with Entra ID Sign-In Logs to identify anomalous sign-in attempts following MFA disablement. -- This rule does not identify if the user was removed from a conditional access policy (CAP) with MFA requirements. - - Instead the rule identifies both legacy and modern MFA disablement through user settings. -- Check if this operation was approved and performed according to the organization's change management policy. -- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. - -### False positive analysis - -- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain. - -### Response and remediation - -- Initiate the incident response process based on the outcome of the triage. -- Disable or limit the account during the investigation and response. -- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: - - Identify the account role in the cloud environment. - - Assess the criticality of affected services and servers. - - Work with your IT team to identify and minimize the impact on users. - - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. - - Identify any regulatory or legal ramifications related to this activity. -- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. -- Reactivate multi-factor authentication for the user. -- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. -- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults). -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. -- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" -risk_score = 47 -rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" -severity = "medium" -tags = [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Resources: Investigation Guide", - "Tactic: Persistence", -] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.dataset: "azure.auditlogs" and - (azure.auditlogs.operation_name: "Disable Strong Authentication" or - ( - azure.auditlogs.operation_name: "User deleted security info" and - azure.auditlogs.properties.additional_details.key: "AuthenticationMethod" - )) and event.outcome: (Success or success) -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1556" -name = "Modify Authentication Process" -reference = "https://attack.mitre.org/techniques/T1556/" -[[rule.threat.technique.subtechnique]] -id = "T1556.006" -name = "Multi-Factor Authentication" -reference = "https://attack.mitre.org/techniques/T1556/006/" - - - -[rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index c3338d3e982..224a0dff81f 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,11 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -<<<<<<<< HEAD:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml -updated_date = "2025/08/28" -======== updated_date = "2025/08/29" ->>>>>>>> main:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml [rule] author = ["Elastic"] @@ -18,17 +14,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -<<<<<<<< HEAD:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_azure_user.toml -name = "Entra ID MFA Disabled for User Principal" -note = """## Triage and analysis - -### Investigating Entra ID MFA Disabled for User Principal -======== name = "Entra ID MFA Disabled for User" note = """## Triage and analysis ### Investigating Entra ID MFA Disabled for User ->>>>>>>> main:rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan. @@ -112,4 +101,3 @@ reference = "https://attack.mitre.org/techniques/T1556/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - From 2953fdd422cfd072003112e241ed08d0d4a0135f Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 2 Sep 2025 15:15:02 -0400 Subject: [PATCH 7/9] updated rule names --- ..._auth_broker_sharepoint_access_for_user_principal.toml | 2 +- .../azure/collection_event_hub_created_or_updated.toml | 2 +- ...h_email_access_by_unusual_public_client_via_graph.toml | 2 +- .../credential_access_entra_id_brute_force_activity.toml | 2 +- ...cess_entra_id_device_code_auth_with_broker_client.toml | 4 ++-- ..._access_entra_id_first_time_seen_device_code_auth.toml | 2 +- ..._access_entra_id_signin_brute_force_microsoft_365.toml | 4 ++-- .../credential_access_entra_id_suspicious_signin.toml | 4 ++-- ...dential_access_entra_id_totp_brute_force_attempts.toml | 2 +- .../credential_access_key_vault_excessive_retrieval.toml | 2 +- ...ial_access_key_vault_retrieval_from_rare_identity.toml | 2 +- ...cess_network_full_network_packet_capture_detected.toml | 2 +- ...credential_access_storage_account_key_regenerated.toml | 2 +- .../azure/defense_evasion_automation_runbook_deleted.toml | 2 +- ...sion_entra_id_application_credential_modification.toml | 4 ++-- ...e_evasion_entra_id_oauth_user_impersonation_scope.toml | 2 +- .../azure/defense_evasion_event_hub_deletion.toml | 4 ++-- ...nse_evasion_insights_diagnostic_settings_deletion.toml | 2 +- .../azure/defense_evasion_kubernetes_events_deleted.toml | 2 +- .../defense_evasion_network_firewall_policy_deletion.toml | 2 +- ...vasion_network_frontdoor_firewall_policy_deletion.toml | 2 +- .../azure/defense_evasion_network_watcher_deletion.toml | 2 +- ...e_evasion_security_alert_suppression_rule_created.toml | 2 +- ...defense_evasion_storage_blob_permissions_modified.toml | 2 +- .../azure/discovery_bloodhound_user_agents_detected.toml | 2 +- ...very_entra_id_teamfiltration_user_agents_detected.toml | 2 +- ...covery_storage_blob_container_access_modification.toml | 2 +- .../azure/execution_compute_vm_command_executed.toml | 2 +- .../azure/impact_key_vault_modified_by_unusual_user.toml | 2 +- .../integrations/azure/impact_kubernetes_pod_deleted.toml | 2 +- .../azure/impact_resources_resource_group_deletion.toml | 4 ++-- ...nitial_access_entra_id_external_guest_user_invite.toml | 8 ++++---- ...a_id_graph_single_session_from_multiple_addresses.toml | 2 +- ..._access_entra_id_oauth_phishing_via_vscode_client.toml | 2 +- ...itial_access_entra_id_protection_alerts_for_user.toml} | 2 +- ...al_access_entra_id_rare_app_id_for_principal_auth.toml | 2 +- ...are_authentication_requirement_for_principal_user.toml | 2 +- ...access_entra_id_risky_user_or_compromised_sign_in.toml | 2 +- ...a_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml | 2 +- ...nitial_access_entra_id_unusual_ropc_login_attempt.toml | 4 ++-- ...l_access_graph_first_occurrence_of_client_request.toml | 2 +- .../azure/persistence_automation_account_created.toml | 2 +- ...ersistence_automation_runbook_created_or_modified.toml | 2 +- .../azure/persistence_automation_webhook_created.toml | 2 +- .../persistence_entra_id_pim_user_added_global_admin.toml | 4 ++-- ...a_id_privileged_identity_management_role_modified.toml | 4 ++-- ...ce_entra_id_rt_to_prt_transition_from_user_device.toml | 2 +- ...ence_entra_id_service_principal_credentials_added.toml | 2 +- ...ersistence_entra_id_suspicious_adrs_token_request.toml | 2 +- ...nce_entra_id_suspicious_cloud_device_registration.toml | 2 +- ...ntra_id_user_added_as_owner_for_azure_application.toml | 2 +- ...tence_entra_id_user_signed_in_from_unusual_device.toml | 2 +- .../persistence_graph_eam_addition_or_modification.toml | 4 ++-- ...ege_escalation_kubernetes_aks_rolebinding_created.toml | 2 +- ...collection_exchange_excessive_mail_items_accessed.toml | 2 +- ..._exchange_mailbox_access_by_unusual_client_app_id.toml | 2 +- .../o365/collection_exchange_new_inbox_rule.toml | 2 +- .../collection_onedrive_excessive_file_downloads.toml | 2 +- ..._access_entra_id_device_reg_via_oauth_redirection.toml | 2 +- ...ential_access_entra_id_excessive_account_lockouts.toml | 2 +- ...ccess_entra_id_potential_user_account_brute_force.toml | 2 +- ...l_access_entra_id_user_excessive_sso_logon_errors.toml | 2 +- ...efense_evasion_entra_id_susp_oauth2_authorization.toml | 2 +- .../o365/defense_evasion_exchange_dlp_policy_removed.toml | 2 +- ...evasion_exchange_mailbox_audit_bypass_association.toml | 2 +- ...e_evasion_exchange_malware_filter_policy_deletion.toml | 2 +- .../defense_evasion_exchange_malware_filter_rule_mod.toml | 2 +- ...se_evasion_exchange_new_inbox_rule_delete_or_move.toml | 2 +- ...efense_evasion_exchange_safe_attach_rule_disabled.toml | 2 +- .../exfiltration_exchange_transport_rule_creation.toml | 2 +- ...exfiltration_exchange_transport_rule_modification.toml | 2 +- ...ecurity_compliance_mass_download_by_a_single_user.toml | 4 ++-- ...security_compliance_potential_ransomware_activity.toml | 4 ++-- ...curity_compliance_unusual_volume_of_file_deletion.toml | 4 ++-- ...cess_defender_for_m365_threat_intelligence_signal.toml | 2 +- ..._illicit_consent_grant_via_registered_application.toml | 2 +- ..._access_entra_id_oauth_phishing_via_vscode_client.toml | 2 +- ...tial_access_entra_id_portal_login_atypical_travel.toml | 2 +- ...al_access_entra_id_portal_login_impossible_travel.toml | 2 +- ...nitial_access_exchange_anti_phish_policy_deletion.toml | 2 +- ...tial_access_exchange_anti_phish_rule_modification.toml | 2 +- ...itial_access_exchange_exchange_safelinks_disabled.toml | 2 +- ...ss_security_compliance_impossible_travel_activity.toml | 4 ++-- ...s_security_compliance_user_reported_phish_malware.toml | 2 +- ...ity_compliance_user_restricted_from_sending_email.toml | 2 +- .../o365/lateral_movement_onedrive_malware_uploaded.toml | 2 +- .../lateral_movement_sharepoint_malware_uploaded.toml | 2 +- ...istence_entra_id_global_administrator_role_assign.toml | 2 +- ...persistence_exchange_dkim_signing_config_disabled.toml | 2 +- .../persistence_exchange_management_role_assignment.toml | 2 +- ...exchange_suspicious_mailbox_permission_delegation.toml | 2 +- .../persistence_teams_custom_app_interaction_allowed.toml | 2 +- .../o365/persistence_teams_external_access_enabled.toml | 2 +- .../o365/persistence_teams_guest_access_enabled.toml | 2 +- ...lation_exchange_new_or_modified_federation_domain.toml | 2 +- 95 files changed, 112 insertions(+), 112 deletions(-) rename rules/integrations/azure/{initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml => initial_access_entra_id_protection_alerts_for_user.toml} (98%) diff --git a/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml index a6ad5a1bc7e..503bc77444f 100644 --- a/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml +++ b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml @@ -30,7 +30,7 @@ from = "now-9m" index = ["logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID SharePoint Access for User Principal via Auth Broker" +name = "Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client" note = """## Triage and analysis ### Investigating Entra ID SharePoint Access for User Principal via Auth Broker diff --git a/rules/integrations/azure/collection_event_hub_created_or_updated.toml b/rules/integrations/azure/collection_event_hub_created_or_updated.toml index 7b8f8296e9f..e27bb7be29e 100644 --- a/rules/integrations/azure/collection_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/collection_event_hub_created_or_updated.toml @@ -24,7 +24,7 @@ from = "now-25m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Event Hub Authorization Rule Created or Updated" +name = "Azure Event Hub Authorization Rule Created or Updated" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 86d1fb5246a..716e9f25c56 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Graph Suspicious Email Access by First-Party Application via Microsoft Graph" +name = "Microsoft Graph Request Email Access by User with Rare Client" note = """## Triage and analysis ### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index 907e0428769..f5baccef233 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -25,7 +25,7 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Entra ID Sign-In Brute Force Activity" +name = "Entra ID User Sign-In Brute Force Attempted" note = """## Triage and analysis ### Investigating Entra ID Sign-In Brute Force Activity diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml index c9a2242c5f4..4521d329493 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -13,7 +13,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Device Code Auth with Broker Client" +name = "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker" references =[ "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf", "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in", @@ -51,7 +51,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Entra ID Device Code Auth with Broker Client +### Investigating Entra ID OAuth Device Code Grant from Microsoft Authentication Broker Client Entra ID Device Code Authentication allows users to authenticate devices using a code, facilitating seamless access to Azure resources. Adversaries exploit this by compromising Primary Refresh Tokens (PRTs) to bypass multi-factor authentication and Conditional Access policies. The detection rule identifies unauthorized access attempts by monitoring successful sign-ins using device code authentication linked to a specific broker client application ID, flagging potential misuse. diff --git a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml index e248acd3959..1e7b113d746 100644 --- a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID First Occurrence of Auth via DeviceCode Protocol" +name = "Entra ID OAuth Device Code Grant by Rare User" note = """## Triage and analysis ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol diff --git a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index da9532b873d..e1d8c2147e8 100644 --- a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -23,10 +23,10 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "M365 Brute Force via Entra ID Sign-Ins" +name = "Microsoft 365 Brute Force Attempted (Entra ID Sign-ins)" note = """## Triage and analysis -### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins +### Investigating Microsoft 365 Brute Force via Entra ID Sign-ins Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage. diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index f62de0b6c39..bada648375d 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -20,10 +20,10 @@ false_positives = [ from = "now-60m" language = "esql" license = "Elastic License v2" -name = "Entra ID Concurrent Sign-Ins with Suspicious Properties" +name = "Entra ID Concurrent Sign-ins with Suspicious Properties" note = """## Triage and analysis -### Investigating Entra ID Concurrent Sign-Ins with Suspicious Properties +### Investigating Entra ID Concurrent Sign-ins with Suspicious Properties ### Possible investigation steps diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index 49dc3e1f756..e29e2900f4e 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -21,7 +21,7 @@ false_positives = [ from = "now-9m" language = "esql" license = "Elastic License v2" -name = "Entra ID MFA TOTP Brute Force Attempts" +name = "Entra ID MFA TOTP Brute Force Attempted" note = """## Triage and analysis ### Investigating Entra ID MFA TOTP Brute Force Attempts diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index 696d77ba888..bd7da56abd4 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -30,7 +30,7 @@ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" -name = "Key Vault Excessive Secret or Key Retrieval" +name = "Azure Key Vault Excessive Secret or Key Retrieved" note = """## Triage and analysis ### Investigating Key Vault Excessive Secret or Key Retrieval diff --git a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml index 3759e6254df..d8579161e50 100644 --- a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml +++ b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml @@ -30,7 +30,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.platformlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Key Vault Secret Key Usage by Unusual Identity" +name = "Azure Key Vault Secret Key Usage First Occurrence" note = """## Triage and analysis ### Investigating Key Vault Secret Key Usage by Unusual Identity diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index 78b60f880c0..04fb7513634 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -23,7 +23,7 @@ from = "now-25m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "VNet Full Network Packet Capture Detected" +name = "Azure VNet Full Network Packet Capture Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index cd83fa74ec0..8875f25aea9 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Storage Account Key Regenerated" +name = "Azure Storage Account Key Regenerated" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index db306e43e46..63863a3a7d1 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Automation Runbook Deleted" +name = "Azure Automation Runbook Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index 4a1f45d2945..5064a81e5b2 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -24,13 +24,13 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Application Credential Modification" +name = "Entra ID Application Credential Modified" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Entra ID Application Credential Modification +### Investigating Entra ID Application Credential Modified Azure applications use credentials like certificates or secret strings for identity verification during token requests. Adversaries may exploit this by adding unauthorized credentials, enabling persistent access or evading defenses. The detection rule monitors audit logs for successful updates to application credentials, flagging potential misuse by identifying unauthorized credential modifications. diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml index c4162467600..98f077b34c0 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Suspicious OAuth User Impersonation Scope Detected" +name = "Entra ID OAuth User Impersonation by Client" note = """## Triage and Analysis ### Investigating Entra ID Suspicious OAuth User Impersonation Scope Detected diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 998d5aa581d..e043e467630 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -21,13 +21,13 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Event Hub Deletion" +name = "Azure Event Hub Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Event Hub Deletion +### Investigating Azure Event Hub Deleted Azure Event Hub is a scalable data streaming platform and event ingestion service, crucial for processing large volumes of data in real-time. Adversaries may target Event Hubs to delete them, aiming to disrupt data flow and evade detection by erasing evidence of their activities. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential defense evasion attempts by identifying unauthorized or suspicious deletions. diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 7302c9271bf..512de4967d1 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Diagnostic Settings Deletion" +name = "Azure Diagnostic Settings Settings Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 4754d5bb8af..a76170e7677 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "AKS Kubernetes Events Deleted" +name = "Azure Kubernetes Services (AKS) Kubernetes Events Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index 4d3aa21dd54..042a4e184f1 100644 --- a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "VNet Firewall Policy Deletion" +name = "Azure VNet Firewall Policy Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index 82fdbbfc48c..047b95598a5 100644 --- a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -23,7 +23,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "VNet Firewall Frontdoor WAF Policy Deleted" +name = "Azure VNet Firewall Frontdoor WAF Policy Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index dacf16eca5b..dfcef475355 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "VNet Network Watcher Deletion" +name = "Azure VNet Network Watcher Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index fdac49c7b79..f1fe96d7001 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Diagnostics Alert Suppression Rule Created or Modified" +name = "Azure Diagnostic Settings Alert Suppression Rule Created or Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index e3714d6455b..60b54cd3d85 100644 --- a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Blob Storage Permissions Modification" +name = "Azure Blob Storage Permissions Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index 5c38b6250cd..cfa19a9a3fb 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -27,7 +27,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.*", "logs-o365.audit-*"] language = "eql" license = "Elastic License v2" -name = "BloodHound Suite User-Agents Detected" +name = "Entra ID Sign-ins BloodHound Suite User-Agent Detected" note = """## Triage and analysis This rule identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 7a553e3485c..29807e1868f 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -29,7 +29,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "TeamFiltration User-Agents Detected" +name = "Entra ID Sign-ins TeamFiltration User-Agent Detected" note = """## Triage and analysis Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs. diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 3d72b574448..406d8e67227 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Blob Storage Container Access Level Modification" +name = "Azure Blob Storage Container Access Level Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/execution_compute_vm_command_executed.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml index 9547d91478e..7ef08470a47 100644 --- a/rules/integrations/azure/execution_compute_vm_command_executed.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Compute VM Command Execution" +name = "Azure Compute VM Command Execution" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index e2796380bf0..7500d50dbb1 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Key Vault Modified" +name = "Azure Key Vault Modified" note = """## Triage and analysis ### Investigating Key Vault Modified diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 59ef2e2c374..1011cb8df24 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "AKS Kubernetes Pods Deleted" +name = "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index bc8b0c96499..0cda3814550 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -23,13 +23,13 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Resources Resource Group Deletion" +name = "Azure Resource Group Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Resource Group Deletion +### Investigating Azure Resource Group Deleted Azure Resource Groups are containers that hold related resources for an Azure solution, enabling efficient management and organization. Adversaries may exploit this by deleting entire groups to disrupt services or erase data, causing significant impact. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential malicious actions for further investigation. diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index da9e4d0756d..666871590d5 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -7,7 +7,7 @@ updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include +Identifies an invitation to an external user in Microsoft Entra ID. Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability. @@ -23,15 +23,15 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID External Guest User Invitation" +name = "Entra ID External Guest User Invited" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Entra ID External Guest User Invitation +### Investigating Entra ID External Guest User Invited -Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations. +Microsoft Entra ID facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations. ### Possible investigation steps diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 5fdf60ae6b2..6f0524e3323 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -25,7 +25,7 @@ from = "now-31m" interval = "30m" language = "esql" license = "Elastic License v2" -name = "Entra ID Suspicious Session Reuse to Graph Access" +name = "Entra ID OAuth User Impersonation to Microsoft Graph" note = """## Triage and analysis ### Investigating Entra ID Suspicious Session Reuse to Graph Access diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index d8243cf7f71..fc51f23fbeb 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -19,7 +19,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID OAuth Phishing via Visual Studio Code Client" +name = "Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph" note = """## Triage and analysis ### Investigating Entra ID OAuth Phishing via Visual Studio Code Client diff --git a/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml similarity index 98% rename from rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml rename to rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index 0a83d23b816..06422aada36 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_multi_azure_identity_protection_alerts.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.identity_protection-*"] language = "eql" license = "Elastic License v2" -name = "Multiple Entra ID Protection Alerts by User Principal" +name = "Entra ID Protection Alerts for User Detected" note = """## Triage and analysis ### Investigating Multiple Entra ID Protection Alerts by User Principal diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index dddd37296a8..c0744081ad7 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Rare App ID for Principal Authentication" +name = "Entra ID User Sign-in with Rare Client" note = """## Triage and analysis ### Investigating Entra ID Rare App ID for Principal Authentication diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 88edc0b532c..90ee00fc55b 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Rare Authentication Requirement for Principal User" +name = "Entra ID User Sign-In with Rare Authentication Type" note = """## Triage and analysis ### Investigating Entra ID Rare Authentication Requirement for Principal User diff --git a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index 37bf1d20a6e..dbff9ce9e6f 100644 --- a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -7,7 +7,7 @@ updated_date = "2025/08/28" [rule] author = ["Austin Songer"] description = """ -Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning +Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. """ from = "now-9m" diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 82ab6c23cb8..55615644267 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -25,7 +25,7 @@ from = "now-61m" interval = "60m" language = "esql" license = "Elastic License v2" -name = "Entra ID OAuth Flow via Auth Broker to DRS" +name = "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)" note = """## Triage and analysis ### Investigating Entra ID OAuth Flow via Auth Broker to DRS diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index f234c85b5ed..08eb2d0319b 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID ROPC Login Attempt by User Principal" +name = "Entra ID OAuth ROPC Grant Login Detected" note = """## Triage and analysis -### Investigating Entra ID ROPC Login Attempt by User Principal +### Investigating Entra ID OAuth ROPC Grant Login Detected This rule detects unusual login attempts using the Resource Owner Password Credentials (ROPC) flow in Microsoft Entra ID. ROPC allows applications to obtain tokens by directly providing user credentials, bypassing multi-factor authentication (MFA). This method is less secure and can be exploited by adversaries to gain access to user accounts, especially during enumeration or password spraying. diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index df1990ae511..73f5a418e78 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -32,7 +32,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Graph First Occurrence of Client Request" +name = "Microsoft Graph Request User Impersonation by Rare Client" note = """## Triage and analysis ### Investigating Microsoft Graph First Occurrence of Client Request diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index 7da9f8d736e..d17db933000 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -15,7 +15,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Automation Account Created" +name = "Azure Automation Account Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml index 0b994f78946..ba2dd578246 100644 --- a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Automation Runbook Created or Modified" +name = "Azure Automation Runbook Created or Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index 9a31991a035..8bd42739f58 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -15,7 +15,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Automation Webhook Created" +name = "Azure Automation Webhook Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index d9b5a5edaf9..4f3764bdce4 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -7,7 +7,7 @@ updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) +Identifies an Microsoft Entra ID Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization. @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Global Administrator Role Addition to PIM User" +name = "Entra ID Global Administrator Role Assigned (PIM User)" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 13604b48624..8601e4626b6 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -7,7 +7,7 @@ updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and +Microsoft Entra ID Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID PIM Role Modified" +name = "Entra ID Privileged Identity Management (PIM) Role Modified" note = """## Triage and analysis ### Investigating Entra ID PIM Role Modified diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index 9a87e1e2496..31e9449d70d 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"] interval = "30m" language = "eql" license = "Elastic License v2" -name = "Entra ID RT to PRT Transition from Same User and Device" +name = "Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected" note = """## Triage and analysis ### Investigating Entra ID RT to PRT Transition from Same User and Device diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 9f584a42c34..16ee0909039 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Service Principal Credentials Added by Rare User" +name = "Entra ID Service Principal Credentials Created by Rare User" note = """## Triage and analysis ### Investigating Entra ID Service Principal Credentials Added by Rare User diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index c08cfe77ef2..3790211917e 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID ADRS Token Request by Microsoft Auth Broker" +name = "Entra ID ADRS Token Request from Microsoft Authentication Broker" note = """## Triage and analysis ### Investigating Entra ID ADRS Token Request by Microsoft Auth Broker diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index 50d091aa8f2..05b3f1d9952 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "eql" license = "Elastic License v2" -name = "Entra ID Suspicious Cloud Device Registration" +name = "Entra ID Device Registration Detected (ROADtools)" note = """## Triage and analysis ### Investigating Entra ID Suspicious Cloud Device Registration diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 84d592ea02f..9a4fbff00c6 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -15,7 +15,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID User Added as Application Owner" +name = "Entra ID User Added as Registered Application Owner" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index ae39ae59386..945fa2069fb 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID User Signed In from Unusual Device" +name = "Entra ID User Sign-In with Rare Registered Device" note = """## Triage and analysis ### Investigating Entra ID User Signed In from Unusual Device diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index 3023d493461..7dfadbf9c0d 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -15,10 +15,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID EAM Addition or Modification" +name = "Entra ID External Authentication Methods (EAM) Modified" note = """## Triage and analysis -### Investigating Entra ID EAM Addition or Modification +### Investigating Entra ID External Authentication Methods (EAM) Modified This rule detects suspicious modifications to external authentication methods (EAMs) in Microsoft Entra ID via Microsoft Graph API. Adversaries may abuse this capability to bypass multi-factor authentication (MFA), enabling persistence or unauthorized access through bring-your-own identity provider (BYOIDP) methods. diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index 7e465096c27..eb61faf9f9e 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "AKS Kubernetes Rolebindings Created" +name = "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml index da1a94b4a60..a81f94b8a54 100644 --- a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Excessive Mailbox Items Accessed" +name = "Microsoft 365 Exchange Mailbox Items Accessed Excessively" note = """## Triage and analysis ### Investigating Excessive Microsoft 365 Mailbox Items Accessed diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 7d444e2212f..1898eb9b23c 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -28,7 +28,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Suspicious Mail Access by Unusual ClientAppId" +name = "Microsoft 365 Exchange Mailbox Accessed by Rare Client" note = """## Triage and Analysis ### Investigating Suspicious Microsoft 365 Mail Access by Unusual ClientAppId diff --git a/rules/integrations/o365/collection_exchange_new_inbox_rule.toml b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml index a2d4c305dfd..a5e1b08cd37 100644 --- a/rules/integrations/o365/collection_exchange_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Inbox Forwarding Rule Created" +name = "Microsoft 365 Exchange Inbox Forwarding Rule Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index ed31811c49f..82e7127b9e7 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -21,7 +21,7 @@ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" -name = "M365 OneDrive Excessive File Downloads with OAuth Token" +name = "Microsoft 365 OneDrive Excessive File Downloads with OAuth Token" note = """## Triage and Analysis ### Investigating M365 OneDrive Excessive File Downloads with OAuth Token diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index 670ada7e8fb..d5c4190b9f0 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365.audit-*"] interval = "15m" language = "eql" license = "Elastic License v2" -name = "M365 Entra ID User OAuth Redirect to Device Registration" +name = "Microsoft 365 Entra ID OAuth Flow by User Sign-in to Device Registration" note = """## Triage and analysis ### Investigating M365 Entra ID OAuth Redirect to Device Registration for User Principal diff --git a/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml index c48f55f140f..a9bab0b27a9 100644 --- a/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml @@ -14,7 +14,7 @@ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" -name = "M365 Entra ID Multiple User Account Lockouts" +name = "Microsoft 365 Entra ID User Account Lockouts" note = """## Triage and Analysis ### Investigating Multiple Microsoft 365 User Account Lockouts in Short Time Window diff --git a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml index d529d1146df..6508cd0661f 100644 --- a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml @@ -21,7 +21,7 @@ from = "now-60m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "M365 Entra ID Potential User Account Brute Force" +name = "Microsoft 365 Entra ID User Brute Force Attempt" note = """## Triage and Analysis ### Investigating Potential Microsoft 365 User Account Brute Force diff --git a/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml index a7a8b489ec7..cff812c10b6 100644 --- a/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml @@ -20,7 +20,7 @@ from = "now-30m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Entra ID Excessive Single Sign-On Logon Errors" +name = "Microsoft 365 Entra ID Excessive SSO Login Errors Reported" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 4ce51df43b3..3b161577c8d 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -15,7 +15,7 @@ from = "now-60m" interval = "59m" language = "esql" license = "Elastic License v2" -name = "M365 Entra ID Suspicious UserLoggedIn via OAuth Code" +name = "Microsoft 365 Entra ID OAuth Flow by Rare Client to Microsoft Graph" note = """## Triage and analysis ### Investigating Suspicious Microsoft 365 UserLoggedIn via OAuth Code diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 2d65b0d2a60..aa255548d56 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange DLP Policy Removed" +name = "Microsoft 365 Exchange DLP Policy Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 9b6e0f57231..ab73164c68d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Mailbox Audit Logging Bypass" +name = "Microsoft 365 Exchange Mailbox Audit Logging Bypass Added" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 45ee8154dcd..667ebdab4e3 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Malware Filter Policy Deletion" +name = "Microsoft 365 Exchange Malware Filter Policy Deleted" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index badac2f8f3c..c4d5fbb7e75 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Malware Filter Rule Modification" +name = "Microsoft 365 Exchange Malware Filter Rule Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index b0f1a9b0034..f79c2679c41 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Suspicious Inbox Rule to Delete or Move Emails" +name = "Microsoft 365 Exchange Inbox Phishing Evasion Rule Created" note = """## Triage and Analysis ### Investigating M365 Exchange Suspicious Inbox Rule to Delete or Move Emails diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 575c1a0d049..c185ecd2ee1 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Safe Attachment Rule Disabled" +name = "Microsoft 365 Exchange Email Safe Attachment Rule Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index 1289f6b561a..1afa0f9595b 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Transport Rule Creation" +name = "Microsoft 365 Exchange Mail Flow Transport Rule Created" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index 48dae3fee82..915a7d0d75a 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Transport Rule Modification" +name = "Microsoft 365 Exchange Mail Flow Transport Rule Modified" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml index 25a1a78b5ce..c871e51fcc3 100644 --- a/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml @@ -12,13 +12,13 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Mass Download by a Single User" +name = "Microsoft 365 Security Compliance Mass Download by a Single User" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Mass download by a single user +### Investigating Microsoft 365 Security Compliance Mass Download by a Single User Microsoft 365 provides cloud-based productivity tools, enabling users to access and download data efficiently. However, adversaries can exploit this by performing mass downloads to exfiltrate sensitive information. The detection rule identifies suspicious activity by flagging instances where a user downloads an unusually high volume of data in a short period, indicating potential data exfiltration attempts. This helps security analysts quickly respond to and mitigate potential threats. diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 93ab36b3a8c..cf42b3da589 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -20,13 +20,13 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Potential Ransomware Activity" +name = "Microsoft 365 Security Compliance Potential Ransomware Activity" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Potential ransomware activity +### Investigating Microsoft 365 Security Compliance Potential Ransomware Activity Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics. diff --git a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index 2a9603c25f2..dc8b2e4b99b 100644 --- a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -12,13 +12,13 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Unusual Volume of File Deletion" +name = "Microsoft 365 Security Compliance Unusual Volume of File Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Unusual Volume of File Deletion +### Investigating Microsoft 365 Security Compliance Unusual Volume of File Deletion Microsoft 365's cloud environment facilitates file storage and collaboration, but its vast data handling capabilities can be exploited by adversaries for data destruction. Attackers may delete large volumes of files to disrupt operations or cover their tracks. The detection rule leverages audit logs to identify anomalies in file deletion activities, flagging successful, unusual deletion volumes as potential security incidents, thus enabling timely investigation and response. diff --git a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml index 9b885eab6ea..4cc3523cb88 100644 --- a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml +++ b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" max_signals = 1000 -name = "M365 Threat Intelligence Signal" +name = "Microsoft 365 Threat Intelligence Signal" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index f5822517b3f..c2cb328c5b5 100644 --- a/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Entra ID Illicit Consent Grant via Registered Application" +name = "Microsoft 365 Entra ID OAuth Illicit Consent Grant by Rare Client and User" note = """## Triage and analysis ### Investigating Microsoft 365 Illicit Consent Grant via Registered Application diff --git a/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index ba025b80bb9..bf12539bcc8 100644 --- a/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -19,7 +19,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Entra ID OAuth Phishing via Visual Studio Code Client" +name = "Microsoft 365 Entra ID OAuth Flow by Visual Studio Code Client to Microsoft Graph" note = """## Triage and analysis ### Investigating Microsoft 365 OAuth Phishing via Visual Studio Code Client diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index bb24bb3c565..d6377ff0d9a 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -23,7 +23,7 @@ from = "now-15m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Portal Login (Atypical Travel)" +name = "Microsoft 365 Entra ID Portal Login (Atypical Travel)" note = """## Triage and analysis ### Investigating M365 Portal Login (Atypical Travel) diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index 99451411942..c87c20e265d 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -22,7 +22,7 @@ from = "now-15m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Portal Login (Impossible Travel)" +name = "Microsoft 365 Entra ID Portal Login (Impossible Travel)" note = """## Triage and analysis ### Investigating M365 Portal Login (Impossible Travel) diff --git a/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml index 39aa873e64d..1807b540da9 100644 --- a/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Anti-Phish Policy Deletion" +name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml index 6b94fdd839b..595d8114fbd 100644 --- a/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Anti-Phish Rule Modification" +name = "Microsoft 365 Exchange Anti-Phish Rule Modification" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml index baff9ed0e0e..0dac443eb55 100644 --- a/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Safe Link Policy Disabled" +name = "Microsoft 365 Exchange Email Safe Link Policy Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml index 501c1b72f9a..cb032236eeb 100644 --- a/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml @@ -15,13 +15,13 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Impossible Travel Activity" +name = "Microsoft 365 Security Compliance Impossible Travel Activity" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Impossible travel activity +### Investigating Microsoft 365 Security Compliance Impossible Travel Activity Microsoft 365's security features monitor user sign-ins to detect anomalies like impossible travel, where a user appears to log in from geographically distant locations in a short time. Adversaries may exploit compromised credentials to access accounts from unexpected locations. The detection rule identifies such suspicious logins by analyzing audit logs for successful sign-ins flagged as impossible travel, helping to mitigate unauthorized access. diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index 1c453da50ef..198df97c7ca 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Email Reported by User as Malware or Phish" +name = "Microsoft 365 Security Compliance Email Reported by User as Malware or Phish" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 7601145730a..2ac45da8d9a 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -15,7 +15,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange User Restricted from Sending Email" +name = "Microsoft 365 Security Compliance User Restricted from Sending Email" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 95f8a8e14dd..98f4596a654 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 OneDrive Malware File Upload" +name = "Microsoft 365 OneDrive Malware File Upload" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 3fbe5d17235..0f9482efb51 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 SharePoint Malware File Upload" +name = "Microsoft 365 SharePoint Malware File Detected" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 36fa6fac792..54f17ac82d1 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -17,7 +17,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Entra ID Global Administrator Role Assigned" +name = "Microsoft 365 Entra ID Global Administrator Role Assigned" note = """## Triage and Analysis ### Investigating Microsoft 365 Global Administrator Role Assigned diff --git a/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml index ce5f8f1db5f..a7b10449e4c 100644 --- a/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml @@ -22,7 +22,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange DKIM Signing Configuration Disabled" +name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 5401cc4c669..6ac65a5d653 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Management Group Role Assignment" +name = "Microsoft 365 Exchange Management Group Role Assigned" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index c11adc3992f..ea81eeadb4f 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -19,7 +19,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange Suspicious Mailbox Permission Delegation" +name = "Microsoft 365 Exchange Mailbox High-Risk Permission Delegated" note = """## Triage and Analysis ### Investigating M365 Exchange Suspicious Mailbox Permission Delegation diff --git a/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml index f3c97e292ff..e1ad5cad6e3 100644 --- a/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Teams Custom Application Interaction Allowed" +name = "Microsoft 365 Teams Custom Application Interaction Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_teams_external_access_enabled.toml index 629ecd8b6a0..79bf3ad3ca0 100644 --- a/rules/integrations/o365/persistence_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_external_access_enabled.toml @@ -21,7 +21,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Teams External Access Enabled" +name = "Microsoft 365 Teams External Access Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index 972003b30a5..73b2b9d2979 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -20,7 +20,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Teams Guest Access Enabled" +name = "Microsoft 365 Teams Guest Access Enabled" note = """## Triage and analysis > **Disclaimer**: diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index cbe1de17306..7297304305d 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Exchange New or Modified Federation Domain" +name = "Microsoft 365 Exchange Federated Domain Created or Modified" note = """## Triage and analysis > **Disclaimer**: From 2ec97bbaa43daf516a38379ca18bb183179a24d7 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 3 Sep 2025 13:50:09 -0400 Subject: [PATCH 8/9] updated tags, rules names --- ...a_signin_brute_force_microsoft_365_repeat_source.toml | 2 +- .../initial_access_azure_o365_with_network_alert.toml | 2 +- ...auth_broker_sharepoint_access_for_user_principal.toml | 3 ++- .../azure/collection_event_hub_created_or_updated.toml | 3 +++ ..._email_access_by_unusual_public_client_via_graph.toml | 4 +++- .../credential_access_entra_id_brute_force_activity.toml | 5 +++-- ...ess_entra_id_device_code_auth_with_broker_client.toml | 5 +++-- ...ntial_access_entra_id_excessive_account_lockouts.toml | 5 +++-- ...access_entra_id_first_time_seen_device_code_auth.toml | 5 +++-- ...access_entra_id_signin_brute_force_microsoft_365.toml | 6 +++--- .../credential_access_entra_id_suspicious_signin.toml | 7 ++++--- ...ential_access_entra_id_totp_brute_force_attempts.toml | 5 +++-- .../credential_access_key_vault_excessive_retrieval.toml | 5 +++-- ...al_access_key_vault_retrieval_from_rare_identity.toml | 5 +++-- ...ess_network_full_network_packet_capture_detected.toml | 2 ++ ...redential_access_storage_account_key_regenerated.toml | 2 ++ .../defense_evasion_automation_runbook_deleted.toml | 2 ++ ...ion_entra_id_application_credential_modification.toml | 5 +++-- ..._evasion_entra_id_oauth_user_impersonation_scope.toml | 5 +++-- .../azure/defense_evasion_event_hub_deletion.toml | 2 ++ ...se_evasion_insights_diagnostic_settings_deletion.toml | 3 ++- .../azure/defense_evasion_kubernetes_events_deleted.toml | 4 +++- ...defense_evasion_network_firewall_policy_deletion.toml | 2 ++ ...asion_network_frontdoor_firewall_policy_deletion.toml | 2 ++ .../azure/defense_evasion_network_watcher_deletion.toml | 2 ++ ..._evasion_security_alert_suppression_rule_created.toml | 3 ++- ...efense_evasion_storage_blob_permissions_modified.toml | 2 ++ .../azure/discovery_bloodhound_user_agents_detected.toml | 7 +++++-- ...ery_entra_id_teamfiltration_user_agents_detected.toml | 4 +++- ...overy_storage_blob_container_access_modification.toml | 4 +++- .../azure/execution_compute_vm_command_executed.toml | 6 ++++-- .../azure/impact_key_vault_modified_by_unusual_user.toml | 6 ++++-- .../azure/impact_kubernetes_pod_deleted.toml | 6 ++++-- .../azure/impact_resources_resource_group_deletion.toml | 4 +++- ...itial_access_entra_id_external_guest_user_invite.toml | 5 +++-- ..._id_graph_single_session_from_multiple_addresses.toml | 8 +++++--- .../azure/initial_access_entra_id_high_risk_signin.toml | 3 ++- ...illicit_consent_grant_via_registered_application.toml | 3 ++- ...access_entra_id_oauth_phishing_via_vscode_client.toml | 3 ++- .../azure/initial_access_entra_id_powershell_signin.toml | 3 ++- ...itial_access_entra_id_protection_alerts_for_user.toml | 3 ++- ...access_entra_id_protection_sign_in_risk_detected.toml | 3 ++- ...al_access_entra_id_protection_user_risk_detected.toml | 3 ++- ...l_access_entra_id_rare_app_id_for_principal_auth.toml | 5 +++-- ...re_authentication_requirement_for_principal_user.toml | 3 ++- ...ccess_entra_id_risky_user_or_compromised_sign_in.toml | 3 ++- ..._id_suspicious_oauth_flow_via_auth_broker_to_drs.toml | 5 +++-- ...itial_access_entra_id_unusual_ropc_login_attempt.toml | 5 +++-- .../initial_access_entra_id_user_reported_risk.toml | 3 ++- ..._access_graph_first_occurrence_of_client_request.toml | 4 +++- .../azure/persistence_automation_account_created.toml | 4 +++- ...rsistence_automation_runbook_created_or_modified.toml | 4 +++- .../azure/persistence_automation_webhook_created.toml | 4 +++- ...ence_entra_id_conditional_access_policy_modified.toml | 5 +++-- ...ence_entra_id_global_administrator_role_assigned.toml | 5 +++-- .../persistence_entra_id_mfa_disabled_for_user.toml | 3 ++- .../persistence_entra_id_oidc_discovery_url_change.toml | 3 ++- ...persistence_entra_id_pim_user_added_global_admin.toml | 5 +++-- ..._id_privileged_identity_management_role_modified.toml | 3 ++- ...e_entra_id_rt_to_prt_transition_from_user_device.toml | 5 +++-- .../persistence_entra_id_service_principal_created.toml | 3 ++- ...nce_entra_id_service_principal_credentials_added.toml | 3 ++- ...rsistence_entra_id_suspicious_adrs_token_request.toml | 5 +++-- ...ce_entra_id_suspicious_cloud_device_registration.toml | 3 ++- ...tra_id_user_added_as_owner_for_azure_application.toml | 5 +++-- ..._user_added_as_owner_for_azure_service_principal.toml | 5 +++-- ...ence_entra_id_user_signed_in_from_unusual_device.toml | 3 ++- .../persistence_graph_eam_addition_or_modification.toml | 4 +++- ...on_entra_id_elevate_to_user_administrator_access.toml | 3 ++- ...ge_escalation_kubernetes_aks_rolebinding_created.toml | 9 +++++---- ...ollection_exchange_excessive_mail_items_accessed.toml | 4 ++-- ...exchange_mailbox_access_by_unusual_client_app_id.toml | 4 ++-- .../o365/collection_exchange_new_inbox_rule.toml | 4 ++-- .../collection_onedrive_excessive_file_downloads.toml | 5 +++-- ...access_entra_id_device_reg_via_oauth_redirection.toml | 6 +++--- ...ntial_access_entra_id_excessive_account_lockouts.toml | 6 +++--- ...cess_entra_id_potential_user_account_brute_force.toml | 6 +++--- ..._access_entra_id_user_excessive_sso_logon_errors.toml | 6 +++--- ...fense_evasion_entra_id_susp_oauth2_authorization.toml | 6 +++--- .../defense_evasion_exchange_dlp_policy_removed.toml | 5 ++--- ...vasion_exchange_mailbox_audit_bypass_association.toml | 4 ++-- ..._evasion_exchange_malware_filter_policy_deletion.toml | 4 ++-- ...defense_evasion_exchange_malware_filter_rule_mod.toml | 4 ++-- ...e_evasion_exchange_new_inbox_rule_delete_or_move.toml | 4 ++-- ...fense_evasion_exchange_safe_attach_rule_disabled.toml | 4 ++-- .../exfiltration_exchange_transport_rule_creation.toml | 4 ++-- ...xfiltration_exchange_transport_rule_modification.toml | 4 ++-- ...curity_compliance_mass_download_by_a_single_user.toml | 6 +++--- ...ecurity_compliance_potential_ransomware_activity.toml | 5 ++--- ...urity_compliance_unusual_volume_of_file_deletion.toml | 6 +++--- ...ess_defender_for_m365_threat_intelligence_signal.toml | 7 +++---- ...illicit_consent_grant_via_registered_application.toml | 6 +++--- ...access_entra_id_oauth_phishing_via_vscode_client.toml | 6 +++--- ...ial_access_entra_id_portal_login_atypical_travel.toml | 4 +++- ...l_access_entra_id_portal_login_impossible_travel.toml | 4 +++- ...itial_access_exchange_anti_phish_policy_deletion.toml | 4 ++-- ...ial_access_exchange_anti_phish_rule_modification.toml | 4 ++-- ...tial_access_exchange_exchange_safelinks_disabled.toml | 4 ++-- ...s_security_compliance_impossible_travel_activity.toml | 7 ++++--- ..._security_compliance_user_reported_phish_malware.toml | 6 +++--- ...ty_compliance_user_restricted_from_sending_email.toml | 6 +++--- .../o365/lateral_movement_onedrive_malware_uploaded.toml | 5 +++-- .../lateral_movement_sharepoint_malware_uploaded.toml | 4 ++-- ...stence_entra_id_global_administrator_role_assign.toml | 5 +++-- ...ersistence_exchange_dkim_signing_config_disabled.toml | 4 ++-- .../persistence_exchange_management_role_assignment.toml | 6 +++--- ...xchange_suspicious_mailbox_permission_delegation.toml | 5 ++--- ...persistence_teams_custom_app_interaction_allowed.toml | 5 +++-- .../o365/persistence_teams_external_access_enabled.toml | 7 ++++--- .../o365/persistence_teams_guest_access_enabled.toml | 7 ++++--- ...ation_exchange_new_or_modified_federation_domain.toml | 7 ++++--- 111 files changed, 296 insertions(+), 195 deletions(-) diff --git a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml index f5050278864..b429bfadf30 100644 --- a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +++ b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml @@ -73,7 +73,7 @@ tags = [ "Domain: SaaS", "Data Source: Azure", "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 8eecad7cb6e..311c32ad1a7 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -65,7 +65,7 @@ tags = [ "Domain: SaaS", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", diff --git a/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml index 503bc77444f..267da09d867 100644 --- a/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml +++ b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml @@ -82,13 +82,14 @@ To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collecte severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Identity and Access Audit", "Tactic: Collection", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/collection_event_hub_created_or_updated.toml b/rules/integrations/azure/collection_event_hub_created_or_updated.toml index e27bb7be29e..866a3ee9b85 100644 --- a/rules/integrations/azure/collection_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/collection_event_hub_created_or_updated.toml @@ -72,6 +72,9 @@ tags = [ "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Service: Azure Storage", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 716e9f25c56..44359ac5ec7 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -67,7 +67,7 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Domain: Email", "Data Source: Azure", "Data Source: Microsoft Graph", @@ -75,6 +75,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Microsoft Graph", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index f5baccef233..eb0986dcca5 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -77,14 +77,15 @@ rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml index 4521d329493..75e8663f681 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -27,13 +27,14 @@ This rule optionally requires Azure Sign-In logs from the Azure integration. Ens severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index 36bf103d780..1cb3e56becf 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -71,14 +71,15 @@ rule_id = "2d6f5332-42ea-11f0-b09a-f661ea17fbcd" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml index 1e7b113d746..0fa75b8a680 100644 --- a/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml @@ -86,13 +86,14 @@ setup = "This rule optionally requires Azure Sign-In logs from the Azure integra severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index e1d8c2147e8..f1a8a9cc260 100644 --- a/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -74,15 +74,15 @@ rule_id = "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index bada648375d..47e70222fa0 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -56,15 +56,16 @@ This rule requires the Azure logs integration be enabled and configured to colle severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", - "Domain: SaaS", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index e29e2900f4e..a16dc56c1b9 100644 --- a/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -72,14 +72,15 @@ This rule requires the Entra ID sign-in logs via the Azure integration be enable severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index bd7da56abd4..b16173a8c63 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -72,14 +72,15 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault Diagnostic Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml index d8579161e50..b6db106a244 100644 --- a/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml +++ b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml @@ -72,14 +72,15 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index 04fb7513634..0575987ea4a 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -73,6 +73,8 @@ tags = [ "Data Source: Azure Activity Logs", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Virtual Network", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8875f25aea9..2498b03d685 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -70,10 +70,12 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Service: Azure Storage", "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Azure" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index 63863a3a7d1..0f19a12e987 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -70,6 +70,8 @@ tags = [ "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index 5064a81e5b2..e7de305f597 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -72,13 +72,14 @@ rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Audit Logs", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml index 98f077b34c0..b5db1aa6ef5 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml @@ -64,14 +64,15 @@ rule_id = "9563dace-5822-11f0-b1d3-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Tactic: Defense Evasion", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index e043e467630..122b855ceb9 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -77,6 +77,8 @@ tags = [ "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 512de4967d1..1c0c1c26c67 100644 --- a/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -68,11 +68,12 @@ rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Security", "Data Source: Azure", "Data Source: Azure Activity Logs", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Monitor", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index a76170e7677..3595c814275 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -70,12 +70,14 @@ rule_id = "8b64d36a-1307-4b2e-a77b-a0027e4d27c8" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Container", + "Domain: Cloud Workloads", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Kubernetes Service", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index 042a4e184f1..99d5a30fe12 100644 --- a/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -73,6 +73,8 @@ tags = [ "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Firewall", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index 047b95598a5..707a614c369 100644 --- a/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -76,6 +76,8 @@ tags = [ "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Firewall", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index dfcef475355..9b55db8439f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -72,6 +72,8 @@ tags = [ "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Network Watcher", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index f1fe96d7001..0453057cc75 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -71,12 +71,13 @@ rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" severity = "low" tags = [ "Domain: Cloud", - "Domain: Security", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Monitor", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index 60b54cd3d85..ed223555a13 100644 --- a/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -68,10 +68,12 @@ tags = [ "Domain: Cloud", "Domain: Storage", "Data Source: Azure", + "Service: Azure Storage", "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index cfa19a9a3fb..ec766cb6a57 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -90,8 +90,8 @@ tags = [ "Domain: Cloud", "Data Source: Azure", "Data Source: Azure Activity Logs", - "Data Source: Graph API", - "Data Source: Graph API Activity Logs", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", @@ -101,6 +101,9 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", + "Platform: Azure", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 29807e1868f..9cb8ef55b90 100644 --- a/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -81,7 +81,7 @@ rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", @@ -91,6 +91,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 406d8e67227..7ff236f4039 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -68,10 +68,12 @@ tags = [ "Domain: Cloud", "Domain: Storage", "Data Source: Azure", + "Service: Azure Storage", "Data Source: Azure Activity Logs", "Use Case: Asset Visibility", "Tactic: Discovery", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/execution_compute_vm_command_executed.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml index 7ef08470a47..3c1bf8d5056 100644 --- a/rules/integrations/azure/execution_compute_vm_command_executed.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -74,12 +74,14 @@ rule_id = "60884af6-f553-4a6c-af13-300047455491" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Endpoint", + "Domain: Server", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Log Auditing", "Tactic: Execution", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Azure Compute Services", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 7500d50dbb1..f6fe9322844 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -61,12 +61,14 @@ rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Activity Logs", "Tactic: Impact", "Use Case: Configuration Audit", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 1011cb8df24..c87fb45dbfc 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -68,12 +68,14 @@ rule_id = "83a1931d-8136-46fc-b7b9-2db4f639e014" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Container", + "Domain: Cloud Workloads", "Data Source: Azure", "Data Source: Azure Activity Logs", "Use Case: Asset Visibility", "Tactic: Impact", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Azure Kubernetes Service", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index 0cda3814550..e583236e85e 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -75,7 +75,9 @@ tags = [ "Data Source: Azure Activity Logs", "Use Case: Log Auditing", "Tactic: Impact", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Azure Resource Manager", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 666871590d5..361b4251e18 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -69,13 +69,14 @@ rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Initial Access", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 6f0524e3323..f7a698dd2cf 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -74,11 +74,10 @@ This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activ severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", - "Domain: API", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", @@ -86,6 +85,9 @@ tags = [ "Resources: Investigation Guide", "Tactic: Defense Evasion", "Tactic: Initial Access", + "Platform: Azure", + "Platform: Microsoft Entra ID", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index 60f5a006f5e..f46ac9d9381 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -62,13 +62,14 @@ rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index 9a2e4d62ccc..60e80418ef3 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -67,7 +67,7 @@ rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", @@ -75,6 +75,7 @@ tags = [ "Resources: Investigation Guide", "Tactic: Initial Access", "Tactic: Credential Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index fc51f23fbeb..a535466e881 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -67,13 +67,14 @@ rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index 62db070e750..5bc7dd95255 100644 --- a/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -73,13 +73,14 @@ rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index 06422aada36..9ce3a6db7de 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -62,13 +62,14 @@ rule_id = "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index d3af3f1816f..dda45fd686f 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -80,7 +80,7 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", @@ -88,6 +88,7 @@ tags = [ "Use Case: Risk Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 8110b7bc7e9..140ded4b152 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -77,7 +77,7 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", @@ -85,6 +85,7 @@ tags = [ "Use Case: Risk Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index c0744081ad7..96ec5471cdb 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -71,14 +71,15 @@ rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 90ee00fc55b..6c04bdded6d 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -71,7 +71,7 @@ rule_id = "9e11faee-fddb-11ef-8257-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", @@ -79,6 +79,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index dbff9ce9e6f..32975bc2802 100644 --- a/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -69,13 +69,14 @@ rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 55615644267..00d521b9f47 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -76,14 +76,15 @@ This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled an severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index 08eb2d0319b..9db98b38c92 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -58,13 +58,14 @@ rule_id = "8d696bd0-5756-11f0-8e3b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index dd36afba47f..07cfa620771 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -59,13 +59,14 @@ rule_id = "caaa8b78-367c-11f0-beb8-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 73f5a418e78..1bdbf6c2f57 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -80,13 +80,15 @@ rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Resources: Investigation Guide", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Platform: Azure", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml index d17db933000..ba154d144cf 100644 --- a/rules/integrations/azure/persistence_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -69,7 +69,9 @@ tags = [ "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml index ba2dd578246..00eb7197f9c 100644 --- a/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml @@ -70,7 +70,9 @@ tags = [ "Data Source: Azure Activity Logs", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml index 8bd42739f58..33da4334a68 100644 --- a/rules/integrations/azure/persistence_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -70,7 +70,9 @@ tags = [ "Data Source: Azure Activity Logs", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index 172ba46ee4f..82dcf1c269e 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -72,14 +72,15 @@ rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 3faa472ecb8..fa055d382fa 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -64,13 +64,14 @@ rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 224a0dff81f..d851d6182f3 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -64,13 +64,14 @@ rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index 54f4205f04d..e0db302ebc2 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -45,13 +45,14 @@ rule_id = "498e4094-60e7-11f0-8847-f661ea17fbcd" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 4f3764bdce4..0fc41f99464 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -72,13 +72,14 @@ rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 8601e4626b6..8acaf40b729 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -70,13 +70,14 @@ rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index 31e9449d70d..2ada88a55b8 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -54,14 +54,15 @@ rule_id = "40e60816-5122-11f0-9caa-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Tactic: Persistence", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml index 28eda67ae64..5e1404d54f8 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_created.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml @@ -76,13 +76,14 @@ This rule requires the Azure integration with Microsoft Entra ID Audit Logs data severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 16ee0909039..c30adf14dad 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -62,13 +62,14 @@ rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index 3790211917e..e9b07c5a689 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -57,13 +57,14 @@ rule_id = "d121f0a8-4875-11f0-bb2b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index 05b3f1d9952..52685c327d5 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -67,13 +67,14 @@ rule_id = "90efea04-5675-11f0-8f80-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 9a4fbff00c6..99fe97eb233 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -59,13 +59,14 @@ rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 3c8c10557ed..a5f9069e638 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -64,13 +64,14 @@ rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index 945fa2069fb..9777579b650 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -55,13 +55,14 @@ This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index 7dfadbf9c0d..566ba028d24 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -54,13 +54,15 @@ rule_id = "42c97e6e-60c3-11f0-832a-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Azure", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index fd341df6c03..4b0c6449829 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -67,13 +67,14 @@ rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index eb61faf9f9e..e036a6cf5b2 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -64,14 +64,15 @@ rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", - "Domain: Container", + "Domain: IAM", + "Domain: Cloud Workloads", "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Kubernetes Service" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml index a81f94b8a54..d3a457376cd 100644 --- a/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml @@ -65,14 +65,14 @@ rule_id = "7fc95782-4bd1-11f0-9838-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 1898eb9b23c..13355714c18 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -65,14 +65,14 @@ rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/collection_exchange_new_inbox_rule.toml b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml index a5e1b08cd37..428213a96d7 100644 --- a/rules/integrations/o365/collection_exchange_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml @@ -71,14 +71,14 @@ rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index 82e7127b9e7..56636f80130 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -68,14 +68,15 @@ rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: Storage", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft OneDrive", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Exfiltration", "Resources: Investigation Guide", + "Service: OneDrive", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index d5c4190b9f0..5df10b917fb 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -52,14 +52,14 @@ rule_id = "fcd2e4be-6ec4-482f-9222-6245367cd738" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml index a9bab0b27a9..896fcc1f971 100644 --- a/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml @@ -61,15 +61,15 @@ rule_id = "de67f85e-2d43-11f0-b8c9-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml index 6508cd0661f..eae08ea5944 100644 --- a/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml @@ -66,15 +66,15 @@ rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml index cff812c10b6..20f8c9737d3 100644 --- a/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml @@ -63,14 +63,14 @@ rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 3b161577c8d..f1c1771d7cc 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -52,16 +52,16 @@ setup = "" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Tactic: Defense Evasion", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index aa255548d56..44d15c0c45e 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -66,15 +66,14 @@ rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", - "Domain: Compliance", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index ab73164c68d..588a57a018c 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -64,14 +64,14 @@ rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 667ebdab4e3..51b0d0c1039 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -67,14 +67,14 @@ rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index c4d5fbb7e75..5d176999ace 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -66,14 +66,14 @@ rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index f79c2679c41..01a28c9a202 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -71,14 +71,14 @@ rule_id = "40fe11c2-376e-11f0-9a82-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index c185ecd2ee1..b4c4e8c88af 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -66,14 +66,14 @@ rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index 1afa0f9595b..4382b198471 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -67,14 +67,14 @@ rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index 915a7d0d75a..4893815164f 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -68,14 +68,14 @@ rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml index c871e51fcc3..8c73a0c8b5c 100644 --- a/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml @@ -58,14 +58,14 @@ rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", + "Domain: Storage", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Security and Compliance Center", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index cf42b3da589..5f82fabc8ff 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -68,14 +68,13 @@ rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Security and Compliance Center", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index dc8b2e4b99b..a28d2cd0db5 100644 --- a/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -59,14 +59,14 @@ rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", + "Domain: Storage", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Security and Compliance Center", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml index 4cc3523cb88..590a8351884 100644 --- a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml +++ b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml @@ -73,14 +73,13 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Defender", - "Data Source: Microsoft Defender Threat Intelligence", "Use Case: Threat Detection", "Tactic: Initial Access", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Microsoft Threat Intelligence", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index c2cb328c5b5..7d88cdd2568 100644 --- a/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -81,15 +81,15 @@ rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", "Tactic: Credential Access", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index bf12539bcc8..42caca302ea 100644 --- a/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -69,14 +69,14 @@ rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index d6377ff0d9a..fd18eecba21 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -57,13 +57,15 @@ rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index c87c20e265d..c40a6c2a938 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -56,13 +56,15 @@ rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml index 1807b540da9..b1170eda4ea 100644 --- a/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml @@ -68,14 +68,14 @@ rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml index 595d8114fbd..759d19147e4 100644 --- a/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml @@ -68,14 +68,14 @@ rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml index 0dac443eb55..af598b67713 100644 --- a/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml @@ -66,14 +66,14 @@ rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml index cb032236eeb..aed7e005be3 100644 --- a/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml @@ -72,14 +72,15 @@ setup = "" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index 198df97c7ca..377504580ab 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -63,13 +63,13 @@ rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", + "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Security and Compliance Center", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 2ac45da8d9a..ab68c29aef9 100644 --- a/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -61,14 +61,14 @@ rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Compliance", + "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Security and Compliance Center", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 98f4596a654..2d6344b66bd 100644 --- a/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -64,14 +64,15 @@ rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Storage", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft OneDrive", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", + "Service: SharePoint", + "Service: OneDrive", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 0f9482efb51..72602fb1bae 100644 --- a/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -63,14 +63,14 @@ rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Storage", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: SharePoint", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", + "Service: SharePoint", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 54f17ac82d1..3d445cb77dd 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -61,13 +61,14 @@ rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml index a7b10449e4c..c7abfcd81f9 100644 --- a/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml @@ -67,13 +67,13 @@ rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 6ac65a5d653..0d751e756ce 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -67,14 +67,14 @@ rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index ea81eeadb4f..ff59c320b14 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -76,15 +76,14 @@ rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", - "Data Source: Microsoft Exchange", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml index e1ad5cad6e3..42011489c5e 100644 --- a/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml @@ -66,13 +66,14 @@ rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: Application", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Teams", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_teams_external_access_enabled.toml index 79bf3ad3ca0..3df3cb31334 100644 --- a/rules/integrations/o365/persistence_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_external_access_enabled.toml @@ -65,14 +65,15 @@ rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: Application", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Teams", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index 73b2b9d2979..00350684615 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -65,14 +65,15 @@ rule_id = "5e552599-ddec-4e14-bad1-28aa42404388" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: Application", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Teams", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 7297304305d..3241eec8117 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -65,14 +65,15 @@ rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: Email", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Exchange", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" From 12eef14b567573d16b1be03b2991eb7fd947080a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 3 Sep 2025 13:54:51 -0400 Subject: [PATCH 9/9] updated name and tags --- .../initial_access_azure_o365_with_network_alert.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 311c32ad1a7..885e4aebb84 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -20,10 +20,10 @@ from = "now-60m" interval = "59m" language = "esql" license = "Elastic License v2" -name = "M365 or Entra ID Sign-in from a Suspicious Source" +name = "Entra ID Sign-in from a Suspicious Source" note = """## Triage and analysis -### Investigating M365 or Entra ID Sign-in from a Suspicious Source +### Investigating Entra ID Sign-in from a Suspicious Source #### Possible investigation steps @@ -62,7 +62,7 @@ rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs",