diff --git a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml index f5050278864..b429bfadf30 100644 --- a/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml +++ b/rules/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml @@ -73,7 +73,7 @@ tags = [ "Domain: SaaS", "Data Source: Azure", "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index d2cd0b2744f..885e4aebb84 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/07/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,12 +17,13 @@ false_positives = [ """, ] from = "now-60m" +interval = "59m" language = "esql" license = "Elastic License v2" -name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source" +name = "Entra ID Sign-in from a Suspicious Source" note = """## Triage and analysis -### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source +### Investigating Entra ID Sign-in from a Suspicious Source #### Possible investigation steps @@ -61,10 +62,10 @@ rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", diff --git a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml similarity index 96% rename from rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml rename to rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml index 30b7a44a46f..267da09d867 100644 --- a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml +++ b/rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2025/05/07" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" index = ["logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker" +name = "Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client" note = """## Triage and analysis -### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker +### Investigating Entra ID SharePoint Access for User Principal via Auth Broker This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions. @@ -82,12 +82,14 @@ To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collecte severity = "high" tags = [ "Domain: Cloud", + "Domain: IAM", "Use Case: Identity and Access Audit", "Tactic: Collection", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_event_hub_created_or_updated.toml similarity index 94% rename from rules/integrations/azure/collection_update_event_hub_auth_rule.toml rename to rules/integrations/azure/collection_event_hub_created_or_updated.toml index 2d505ecfb45..866a3ee9b85 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" @@ -59,15 +59,23 @@ Azure Event Hub Authorization Rules manage access to Event Hubs via cryptographi - Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised. - Conduct a security review of all Event Hub Authorization Rules to ensure that only necessary permissions are granted and that the RootManageSharedAccessKey is not used in applications. - Enhance monitoring and alerting for changes to authorization rules by integrating with a Security Information and Event Management (SIEM) system to detect similar threats in the future. - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Collection", + "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Service: Azure Storage", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index c90bc367c06..44359ac5ec7 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2025/05/06" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Email Access by First-Party Application via Microsoft Graph" +name = "Microsoft Graph Request Email Access by User with Rare Client" note = """## Triage and analysis ### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph @@ -67,12 +67,16 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", + "Domain: Email", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Microsoft Graph", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml index 5f664ef65ed..eb0986dcca5 100644 --- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml +++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above." min_stack_version = "8.17.0" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -25,10 +25,10 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Sign-In Brute Force Activity" +name = "Entra ID User Sign-In Brute Force Attempted" note = """## Triage and analysis -### Investigating Microsoft Entra ID Sign-In Brute Force Activity +### Investigating Entra ID Sign-In Brute Force Activity This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response. @@ -77,14 +77,15 @@ rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml index 4ede482fd06..75e8663f681 100644 --- a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID Device Code Auth with Broker Client" +name = "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker" references =[ "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf", "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in", @@ -27,11 +27,14 @@ This rule optionally requires Azure Sign-In logs from the Azure integration. Ens severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" @@ -49,7 +52,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Entra ID Device Code Auth with Broker Client +### Investigating Entra ID OAuth Device Code Grant from Microsoft Authentication Broker Client Entra ID Device Code Authentication allows users to authenticate devices using a code, facilitating seamless access to Azure resources. Adversaries exploit this by compromising Primary Refresh Tokens (PRTs) to bypass multi-factor authentication and Conditional Access policies. The detection rule identifies unauthorized access attempts by monitoring successful sign-ins using device code authentication linked to a specific broker client application ID, flagging potential misuse. diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index 8981a92e250..1cb3e56becf 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/01" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Exccessive Account Lockouts Detected" +name = "Entra ID Excessive Account Lockouts Detected" note = """## Triage and analysis ### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected @@ -71,14 +71,15 @@ rule_id = "2d6f5332-42ea-11f0-b09a-f661ea17fbcd" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml similarity index 97% rename from rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml rename to rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml index e5e17e7b391..0fa75b8a680 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "First Occurrence of Entra ID Auth via DeviceCode Protocol" +name = "Entra ID OAuth Device Code Grant by Rare User" note = """## Triage and analysis ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol @@ -86,11 +86,14 @@ setup = "This rule optionally requires Azure Sign-In logs from the Azure integra severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml similarity index 97% rename from rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml rename to rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml index 1185de758c1..f1a8a9cc260 100644 --- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -23,10 +23,10 @@ from = "now-60m" interval = "15m" language = "esql" license = "Elastic License v2" -name = "Microsoft 365 Brute Force via Entra ID Sign-Ins" +name = "Microsoft 365 Brute Force Attempted (Entra ID Sign-ins)" note = """## Triage and analysis -### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins +### Investigating Microsoft 365 Brute Force via Entra ID Sign-ins Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage. @@ -74,15 +74,15 @@ rule_id = "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml similarity index 95% rename from rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml rename to rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index 09326ac93d4..47e70222fa0 100644 --- a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,10 +20,10 @@ false_positives = [ from = "now-60m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties" +name = "Entra ID Concurrent Sign-ins with Suspicious Properties" note = """## Triage and analysis -### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties +### Investigating Entra ID Concurrent Sign-ins with Suspicious Properties ### Possible investigation steps @@ -56,14 +56,16 @@ This rule requires the Azure logs integration be enabled and configured to colle severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml rename to rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml index 71102c93f69..a16dc56c1b9 100644 --- a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml +++ b/rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/11" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -21,10 +21,10 @@ false_positives = [ from = "now-9m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID MFA TOTP Brute Force Attempts" +name = "Entra ID MFA TOTP Brute Force Attempted" note = """## Triage and analysis -### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts +### Investigating Entra ID MFA TOTP Brute Force Attempts This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code. @@ -72,14 +72,15 @@ This rule requires the Entra ID sign-in logs via the Azure integration be enable severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml rename to rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index f80f96bc003..b16173a8c63 100644 --- a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/07/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" -name = "Excessive Secret or Key Retrieval from Azure Key Vault" +name = "Azure Key Vault Excessive Secret or Key Retrieved" note = """## Triage and analysis -### Investigating Excessive Secret or Key Retrieval from Azure Key Vault +### Investigating Key Vault Excessive Secret or Key Retrieval Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts. @@ -72,15 +72,15 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Storage", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml similarity index 97% rename from rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml rename to rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml index d93f55ce5da..b6db106a244 100644 --- a/rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml +++ b/rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/07/22" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -30,10 +30,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.platformlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Key Vault Secret Key Usage by Unusual Identity" +name = "Azure Key Vault Secret Key Usage First Occurrence" note = """## Triage and analysis -### Investigating Azure Key Vault Secret Key Usage by Unusual Identity +### Investigating Key Vault Secret Key Usage by Unusual Identity Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts. @@ -72,15 +72,15 @@ To ensure this rule functions correctly, the following diagnostic logs must be e severity = "medium" tags = [ "Domain: Cloud", - "Domain: Storage", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Platform Logs", - "Data Source: Azure Key Vault", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml similarity index 92% rename from rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml rename to rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index 615a5b47f01..0575987ea4a 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -20,16 +20,16 @@ false_positives = [ """, ] from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Full Network Packet Capture Detected" +name = "Azure VNet Full Network Packet Capture Enabled" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Full Network Packet Capture Detected +### Investigating VNet Full Network Packet Capture Detected Azure's Packet Capture is a feature of Network Watcher that allows for the inspection of network traffic, useful for diagnosing network issues. However, if misused, it can capture sensitive data from unencrypted traffic, posing a security risk. Adversaries might exploit this to access credentials or other sensitive information. The detection rule identifies suspicious packet capture activities by monitoring specific Azure activity logs for successful operations, helping to flag potential misuse. @@ -66,7 +66,16 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Network", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Service: Azure Virtual Network", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 4ffdf7111ab..2498b03d685 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ or locations should be investigated. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" @@ -28,7 +28,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Storage Account Key Regenerated +### Investigating Storage Account Key Regenerated Azure Storage Account keys are critical credentials that grant access to storage resources. They are often used by applications and services to authenticate and interact with Azure Storage. Adversaries may regenerate these keys to gain unauthorized access, potentially disrupting services or exfiltrating data. The detection rule monitors for key regeneration events, flagging successful operations as potential indicators of credential misuse, thus enabling timely investigation and response. @@ -70,9 +70,12 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Service: Azure Storage", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Azure" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml similarity index 92% rename from rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml rename to rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index 64091a7a4b4..0f19a12e987 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,8 +10,8 @@ description = """ Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Deleted" @@ -20,7 +20,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Automation Runbook Deleted +### Investigating Automation Runbook Deleted Azure Automation Runbooks automate repetitive tasks in cloud environments, enhancing operational efficiency. Adversaries may exploit this by deleting runbooks to disrupt operations or conceal malicious activities. The detection rule monitors Azure activity logs for successful runbook deletions, signaling potential defense evasion tactics, and alerts analysts to investigate further. @@ -62,7 +62,17 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml similarity index 94% rename from rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml rename to rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml index 072ba952ffd..e7de305f597 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,17 +20,17 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Application Credential Modification" +name = "Entra ID Application Credential Modified" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Application Credential Modification +### Investigating Entra ID Application Credential Modified Azure applications use credentials like certificates or secret strings for identity verification during token requests. Adversaries may exploit this by adding unauthorized credentials, enabling persistent access or evading defenses. The detection rule monitors audit logs for successful updates to application credentials, flagging potential misuse by identifying unauthorized credential modifications. @@ -72,10 +72,14 @@ rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml index 72c76e80596..b5db1aa6ef5 100644 --- a/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml +++ b/rules/integrations/azure/defense_evasion_entra_id_oauth_user_impersonation_scope.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/03" integration = ["azure"] maturity = "production" -updated_date = "2025/07/03" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Entra ID OAuth User Impersonation Scope Detected" +name = "Entra ID OAuth User Impersonation by Client" note = """## Triage and Analysis -### Investigating Suspicious Entra ID OAuth User Impersonation Scope Detected +### Investigating Entra ID Suspicious OAuth User Impersonation Scope Detected Identifies rare occurrences of OAuth workflow for a user principal that is single factor authenticated, with an OAuth scope containing `user_impersonation`, and a token issuer type of `AzureAD`. This rule is designed to detect suspicious OAuth user impersonation attempts in Microsoft Entra ID, particularly those involving the `user_impersonation` scope, which is often used by adversaries to gain unauthorized access to user accounts. The rule focuses on sign-in events where @@ -64,14 +64,15 @@ rule_id = "9563dace-5822-11f0-b1d3-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Tactic: Defense Evasion", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 4f926b954b8..122b855ceb9 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,17 +17,17 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Event Hub Deletion" +name = "Azure Event Hub Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Event Hub Deletion +### Investigating Azure Event Hub Deleted Azure Event Hub is a scalable data streaming platform and event ingestion service, crucial for processing large volumes of data in real-time. Adversaries may target Event Hubs to delete them, aiming to disrupt data flow and evade detection by erasing evidence of their activities. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential defense evasion attempts by identifying unauthorized or suspicious deletions. @@ -69,7 +69,17 @@ references = [ risk_score = 47 rule_id = "e0f36de1-0342-453d-95a9-a068b257b053" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Service: Azure Event Hub", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml similarity index 94% rename from rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml rename to rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml index 9c3ca099cc0..1c0c1c26c67 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_insights_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,11 +18,11 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Diagnostic Settings Deletion" +name = "Azure Diagnostic Settings Settings Deleted" note = """## Triage and analysis > **Disclaimer**: @@ -66,7 +66,15 @@ references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/dia risk_score = 47 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Service: Azure Monitor", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 41d53464d9d..3595c814275 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -18,17 +18,17 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Events Deleted" +name = "Azure Kubernetes Services (AKS) Kubernetes Events Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Kubernetes Events Deleted +### Investigating AKS Kubernetes Events Deleted Azure Kubernetes Service (AKS) manages containerized applications using Kubernetes, which logs events like state changes. These logs are crucial for monitoring and troubleshooting. Adversaries may delete these logs to hide their tracks, impairing defenses. The detection rule identifies such deletions by monitoring specific Azure activity logs, flagging successful deletion operations to alert security teams of potential evasion tactics. @@ -68,7 +68,17 @@ references = [ risk_score = 47 rule_id = "8b64d36a-1307-4b2e-a77b-a0027e4d27c8" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Cloud Workloads", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Service: Azure Kubernetes Service", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml similarity index 95% rename from rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml rename to rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml index f5c04c6e240..99d5a30fe12 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,17 +17,17 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Firewall Policy Deletion" +name = "Azure VNet Firewall Policy Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Firewall Policy Deletion +### Investigating VNet Firewall Policy Deletion Azure Firewall policies are crucial for managing and enforcing network security rules across Azure environments. Adversaries may target these policies to disable security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors Azure activity logs for successful deletion operations of firewall policies, signaling potential defense evasion attempts by identifying specific operation names and outcomes. @@ -67,10 +67,14 @@ rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Firewall", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml similarity index 94% rename from rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml rename to rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml index 53c7c70c607..707a614c369 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -19,17 +19,17 @@ false_positives = [ is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted" +name = "Azure VNet Firewall Frontdoor WAF Policy Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Frontdoor Web Application Firewall (WAF) Policy Deleted +### Investigating VNet Firewall Frontdoor WAF Policy Deleted Azure Frontdoor WAF policies are crucial for protecting web applications by filtering and monitoring HTTP requests to block malicious traffic. Adversaries may delete these policies to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, signaling potential defense evasion attempts. @@ -70,10 +70,14 @@ rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Firewall", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index df552106b54..9b55db8439f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,17 +18,17 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Network Watcher Deletion" +name = "Azure VNet Network Watcher Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Network Watcher Deletion +### Investigating VNet Network Watcher Deletion Azure Network Watcher is a vital tool for monitoring and diagnosing network issues within Azure environments. It provides insights and logging capabilities crucial for maintaining network security. Adversaries may delete Network Watchers to disable these monitoring functions, thereby evading detection. The detection rule identifies such deletions by monitoring Azure activity logs for specific delete operations, flagging successful attempts as potential security threats. @@ -66,10 +66,14 @@ rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Network", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Azure Network Watcher", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml similarity index 92% rename from rules/integrations/azure/defense_evasion_suppression_rule_created.toml rename to rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 66bcb23efcf..0453057cc75 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -18,17 +18,17 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Alert Suppression Rule Created or Modified" +name = "Azure Diagnostic Settings Alert Suppression Rule Created or Modified" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Alert Suppression Rule Created or Modified +### Investigating Diagnostics Alert Suppression Rule Created or Modified Azure Alert Suppression Rules are used to manage alert noise by filtering out known false positives. However, adversaries can exploit these rules to hide malicious activities by suppressing legitimate security alerts. The detection rule monitors Azure activity logs for successful operations related to suppression rule changes, helping identify potential misuse that could lead to defense evasion and reduced security visibility. @@ -69,7 +69,16 @@ references = [ risk_score = 21 rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Service: Azure Monitor", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml similarity index 95% rename from rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml rename to rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml index 1cc74712800..ed223555a13 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_storage_blob_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -17,10 +17,11 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Blob Permissions Modification" +name = "Azure Blob Storage Permissions Modified" note = """## Triage and analysis > **Disclaimer**: @@ -65,10 +66,14 @@ rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Storage", "Data Source: Azure", + "Service: Azure Storage", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml index 402945fecc1..ec766cb6a57 100644 --- a/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_bloodhound_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/03" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/06/03" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.*", "logs-o365.audit-*"] language = "eql" license = "Elastic License v2" -name = "BloodHound Suite User-Agents Detected" +name = "Entra ID Sign-ins BloodHound Suite User-Agent Detected" note = """## Triage and analysis This rule identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365. @@ -90,8 +90,8 @@ tags = [ "Domain: Cloud", "Data Source: Azure", "Data Source: Azure Activity Logs", - "Data Source: Graph API", - "Data Source: Graph API Activity Logs", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Data Source: Microsoft Entra ID", @@ -101,6 +101,9 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", + "Platform: Azure", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml similarity index 97% rename from rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml rename to rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml index 970fdb2ec0a..9cb8ef55b90 100644 --- a/rules/integrations/azure/discovery_teamfiltration_user_agents_detected.toml +++ b/rules/integrations/azure/discovery_entra_id_teamfiltration_user_agents_detected.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "TeamFiltration User-Agents Detected" +name = "Entra ID Sign-ins TeamFiltration User-Agent Detected" note = """## Triage and analysis Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs. @@ -81,6 +81,7 @@ rule_id = "f541ca3a-5752-11f0-b44b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", @@ -90,6 +91,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml similarity index 92% rename from rules/integrations/azure/discovery_blob_container_access_mod.toml rename to rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index 52b0400362c..7ff236f4039 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,17 +17,17 @@ false_positives = [ or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Blob Container Access Level Modification" +name = "Azure Blob Storage Container Access Level Modified" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Blob Container Access Level Modification +### Investigating Blob Storage Container Access Level Modification Azure Blob Storage is a service for storing large amounts of unstructured data, where access levels can be configured to control data visibility. Adversaries may exploit misconfigured access levels to gain unauthorized access to sensitive data. The detection rule monitors changes in container access settings, focusing on successful modifications, to identify potential security risks associated with unauthorized access level changes. @@ -64,7 +64,17 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Azure", + "Service: Azure Storage", + "Data Source: Azure Activity Logs", + "Use Case: Asset Visibility", + "Tactic: Discovery", + "Resources: Investigation Guide", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_compute_vm_command_executed.toml similarity index 92% rename from rules/integrations/azure/execution_command_virtual_machine.toml rename to rules/integrations/azure/execution_compute_vm_command_executed.toml index b6baefbe892..3c1bf8d5056 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_compute_vm_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -20,17 +20,17 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Command Execution on Virtual Machine" +name = "Azure Compute VM Command Execution" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Command Execution on Virtual Machine +### Investigating Compute VM Command Execution Azure Virtual Machines (VMs) allow users to run applications and services in the cloud. While roles like Virtual Machine Contributor can manage VMs, they typically can't access them directly. However, commands can be executed remotely via PowerShell, running as System. Adversaries may exploit this to execute unauthorized commands. The detection rule monitors Azure activity logs for command execution events, flagging successful operations to identify potential misuse. @@ -72,7 +72,17 @@ references = [ risk_score = 47 rule_id = "60884af6-f553-4a6c-af13-300047455491" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Server", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Execution", + "Resources: Investigation Guide", + "Service: Azure Compute Services", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_azure_key_vault_modified.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml similarity index 96% rename from rules/integrations/azure/impact_azure_key_vault_modified.toml rename to rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index b7c2cf63810..f6fe9322844 100644 --- a/rules/integrations/azure/impact_azure_key_vault_modified.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/07/09" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ license = "Elastic License v2" name = "Azure Key Vault Modified" note = """## Triage and analysis -### Investigating Azure Key Vault Modified +### Investigating Key Vault Modified Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects modifications to Key Vaults, which may indicate potential security incidents or misconfigurations. @@ -61,12 +61,14 @@ rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Azure Activity Logs", "Tactic: Impact", "Use Case: Configuration Audit", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Azure Key Vault", + "Platform: Azure", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index b81637fa6e9..c87fb45dbfc 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -17,17 +17,17 @@ false_positives = [ behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Pods Deleted" +name = "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Kubernetes Pods Deleted +### Investigating AKS Kubernetes Pods Deleted Azure Kubernetes Service (AKS) enables the deployment, management, and scaling of containerized applications using Kubernetes. Pods, the smallest deployable units in Kubernetes, can be targeted by adversaries to disrupt services or evade detection. Malicious actors might delete pods to cause downtime or hide their activities. The detection rule monitors Azure activity logs for successful pod deletion operations, alerting security teams to potential unauthorized actions that could impact the environment's stability and security. @@ -66,7 +66,17 @@ references = [ risk_score = 47 rule_id = "83a1931d-8136-46fc-b7b9-2db4f639e014" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Cloud Workloads", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Asset Visibility", + "Tactic: Impact", + "Resources: Investigation Guide", + "Service: Azure Kubernetes Service", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml similarity index 93% rename from rules/integrations/azure/impact_resource_group_deletion.toml rename to rules/integrations/azure/impact_resources_resource_group_deletion.toml index 9a3bd20a8cc..e583236e85e 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -19,17 +19,17 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Resource Group Deletion" +name = "Azure Resource Group Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Resource Group Deletion +### Investigating Azure Resource Group Deleted Azure Resource Groups are containers that hold related resources for an Azure solution, enabling efficient management and organization. Adversaries may exploit this by deleting entire groups to disrupt services or erase data, causing significant impact. The detection rule monitors Azure activity logs for successful deletion operations, flagging potential malicious actions for further investigation. @@ -69,7 +69,16 @@ references = [ risk_score = 47 rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Log Auditing", + "Tactic: Impact", + "Resources: Investigation Guide", + "Service: Azure Resource Manager", + "Platform: Azure", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml similarity index 84% rename from rules/integrations/azure/initial_access_external_guest_user_invite.toml rename to rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index d78d3c2067f..361b4251e18 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,12 +2,12 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include +Identifies an invitation to an external user in Microsoft Entra ID. Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability. @@ -19,19 +19,19 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure External Guest User Invitation" +name = "Entra ID External Guest User Invited" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure External Guest User Invitation +### Investigating Entra ID External Guest User Invited -Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations. +Microsoft Entra ID facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations. ### Possible investigation steps @@ -67,7 +67,17 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml similarity index 97% rename from rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml rename to rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 59141ad8430..f7a698dd2cf 100644 --- a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,8 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2025/09/02" + [rule] author = ["Elastic"] @@ -24,10 +25,10 @@ from = "now-31m" interval = "30m" language = "esql" license = "Elastic License v2" -name = "Microsoft Entra ID Suspicious Session Reuse to Graph Access" +name = "Entra ID OAuth User Impersonation to Microsoft Graph" note = """## Triage and analysis -### Investigating Microsoft Entra ID Suspicious Session Reuse to Graph Access +### Investigating Entra ID Suspicious Session Reuse to Graph Access Identifies potential phishing, session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID and client application. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location. @@ -73,11 +74,10 @@ This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activ severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", - "Domain: API", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", @@ -85,6 +85,9 @@ tags = [ "Resources: Investigation Guide", "Tactic: Defense Evasion", "Tactic: Initial Access", + "Platform: Azure", + "Platform: Microsoft Entra ID", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml index edeab46d0d5..f46ac9d9381 100644 --- a/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_high_risk_signin.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["azure"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Willem D'Haese"] @@ -13,13 +13,13 @@ provide specific details about how risk is calculated, each level brings higher compromised. """ from = "now-9m" -index = ["filebeat-*", "logs-azure.signinlogs*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID High Risk Sign-in" +name = "Entra ID High Risk Sign-in" note = """## Triage and analysis -### Investigating Microsoft Entra ID High Risk Sign-in +### Investigating Entra ID High Risk Sign-in This rule detects high-risk sign-ins in Microsoft Entra ID as identified by Identity Protection. These sign-ins are flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of compromise based on Microsoft’s machine learning and heuristics. This alert is valuable for identifying accounts under active attack or compromise using valid credentials. @@ -62,12 +62,14 @@ rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 96% rename from rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index 9ef4177c59b..60e80418ef3 100644 --- a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,13 +13,13 @@ accomplished by tricking a user into granting consent to the application, typica establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Illicit Consent Grant via Registered Application" +name = "Entra ID Illicit Consent Grant via Registered Application" note = """## Triage and analysis -### Investigating Microsoft Entra ID Illicit Consent Grant via Registered Application +### Investigating Entra ID Illicit Consent Grant via Registered Application Adversaries may register a malicious application in Microsoft Entra ID and trick users into granting excessive permissions via OAuth consent. These applications can access sensitive data—such as mail, profiles, or files—on behalf of the user once consent is granted. This is commonly delivered via spearphishing links that prompt users to approve permissions for seemingly legitimate applications. @@ -67,6 +67,7 @@ rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", @@ -74,6 +75,7 @@ tags = [ "Resources: Investigation Guide", "Tactic: Initial Access", "Tactic: Credential Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml similarity index 96% rename from rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml rename to rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index b0741633054..a535466e881 100644 --- a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -15,14 +15,14 @@ Insiders redirect location, prompting victims to return an OAuth authorization c tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID OAuth Phishing via Visual Studio Code Client" +name = "Entra ID OAuth Flow by Visual Studio Code to Microsoft Graph" note = """## Triage and analysis -### Investigating Microsoft Entra ID OAuth Phishing via Visual Studio Code Client +### Investigating Entra ID OAuth Phishing via Visual Studio Code Client ### Possible investigation steps @@ -67,12 +67,14 @@ rule_id = "14fa0285-fe78-4843-ac8e-f4b481f49da9" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml similarity index 94% rename from rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml rename to rules/integrations/azure/initial_access_entra_id_powershell_signin.toml index 84c1ea44cae..5bc7dd95255 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_entra_id_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -17,14 +17,14 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Active Directory PowerShell Sign-in" +name = "Entra ID PowerShell Sign-in" note = """## Triage and analysis -### Investigating Azure Active Directory PowerShell Sign-in +### Investigating Entra ID PowerShell Sign-in Azure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. @@ -73,10 +73,14 @@ rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml similarity index 96% rename from rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml rename to rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index 72d1c1bdcdb..9ce3a6db7de 100644 --- a/rules/integrations/azure/initial_access_entra_protection_multi_azure_identity_protection_alerts.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.identity_protection-*"] language = "eql" license = "Elastic License v2" -name = "Multiple Microsoft Entra ID Protection Alerts by User Principal" +name = "Entra ID Protection Alerts for User Detected" note = """## Triage and analysis -### Investigating Multiple Microsoft Entra ID Protection Alerts by User Principal +### Investigating Multiple Entra ID Protection Alerts by User Principal #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). @@ -62,12 +62,14 @@ rule_id = "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f" severity = "high" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Protection Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml index 2565be3e132..dda45fd686f 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/29" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/05/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -80,14 +80,15 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml index 432ecc45e7d..140ded4b152 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml @@ -3,7 +3,7 @@ creation_date = "2025/06/02" integration = ["azure"] maturity = "production" promotion = true -updated_date = "2025/06/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -77,14 +77,15 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", + "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Use Case: Risk Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml similarity index 89% rename from rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml rename to rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index 4c2bcd0fa64..96ec5471cdb 100644 --- a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,15 +13,15 @@ indicate an attempt to bypass conditional access policies (CAP) and multi-factor app ID specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Entra ID Rare App ID for Principal Authentication" +name = "Entra ID User Sign-in with Rare Client" note = """## Triage and analysis -### Investigating Azure Entra ID Rare App ID for Principal Authentication +### Investigating Entra ID Rare App ID for Principal Authentication -This rule identifies rare Azure Entra apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. +This rule identifies rare Azure apps IDs requesting authentication on-behalf-of a principal user. An adversary with stolen credentials may specify an Azure-managed app ID to authenticate on-behalf-of a user. This is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The app ID specified may not be commonly used by the user based on their historical sign-in activity. **This is a New Terms rule that focuses on first occurrence of the client `azure.signinlogs.properties.app_id` requesting authentication on-behalf-of the principal user `azure.signinlogs.properties.user_principal_name` in the last 14-days.** @@ -71,13 +71,15 @@ rule_id = "c766bc56-fdca-11ef-b194-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml similarity index 97% rename from rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml rename to rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index be3ebf75d6f..6c04bdded6d 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/25" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" +name = "Entra ID User Sign-In with Rare Authentication Type" note = """## Triage and analysis -### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User +### Investigating Entra ID Rare Authentication Requirement for Principal User Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. @@ -71,6 +71,7 @@ rule_id = "9e11faee-fddb-11ef-8257-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", @@ -78,6 +79,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml similarity index 91% rename from rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml rename to rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml index 1657100c372..32975bc2802 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_entra_id_risky_user_or_compromised_sign_in.toml @@ -2,22 +2,22 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] description = """ -Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning +Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Active Directory High Risk User Sign-in Heuristic" +name = "Entra ID High Risk User Sign-in Heuristic" note = """## Triage and analysis -### Investigating Azure Active Directory High Risk User Sign-in Heuristic +### Investigating Entra ID High Risk User Sign-in Heuristic Microsoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks. @@ -69,10 +69,14 @@ rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index 0cd35b7bd96..00d521b9f47 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -25,12 +25,12 @@ from = "now-61m" interval = "60m" language = "esql" license = "Elastic License v2" -name = "Suspicious Microsoft OAuth Flow via Auth Broker to DRS" +name = "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)" note = """## Triage and analysis -### Investigating Suspicious Microsoft OAuth Flow via Auth Broker to DRS +### Investigating Entra ID OAuth Flow via Auth Broker to DRS -This rule identifies potential OAuth phishing behavior in Microsoft Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. +This rule identifies potential OAuth phishing behavior in Entra ID where two OAuth authorization flows are observed in quick succession, sharing the same user principal and session ID but originating from different IP addresses. The client application is the Microsoft Authentication Broker, and the target resource is the Device Registration Service (DRS). This pattern is indicative of adversaries attempting to phish targets for OAuth sessions by tricking users into authenticating through a crafted URL, which then allows the attacker to obtain an authorization code and exchange it for access and refresh tokens. ### Possible Investigation Steps: @@ -76,14 +76,15 @@ This rule requires the Microsoft Entra ID Sign-In Logs integration be enabled an severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in Logs", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index bca0c1f9e54..9db98b38c92 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Unusual ROPC Login Attempt by User Principal" +name = "Entra ID OAuth ROPC Grant Login Detected" note = """## Triage and analysis -### Investigating Unusual ROPC Login Attempt by User Principal +### Investigating Entra ID OAuth ROPC Grant Login Detected This rule detects unusual login attempts using the Resource Owner Password Credentials (ROPC) flow in Microsoft Entra ID. ROPC allows applications to obtain tokens by directly providing user credentials, bypassing multi-factor authentication (MFA). This method is less secure and can be exploited by adversaries to gain access to user accounts, especially during enumeration or password spraying. @@ -58,13 +58,14 @@ rule_id = "8d696bd0-5756-11f0-8e3b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index fd4b19f0d93..07cfa620771 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Willem D'Haese"] @@ -13,10 +13,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID User Reported Suspicious Activity" +name = "Entra ID User Reported Suspicious Activity" note = """## Triage and Analysis -### Investigating Microsoft Entra ID User Reported Suspicious Activity +### Investigating Entra ID User Reported Suspicious Activity This rule detects when a user in Microsoft Entra ID reports suspicious activity associated with their account. This feature is often used to report MFA fatigue or unsolicited push notifications, and is logged during authentication flows involving methods like Microsoft Authenticator. Such events may indicate that an attacker attempted unauthorized access and triggered a push that was denied or flagged by the user. @@ -59,12 +59,14 @@ rule_id = "caaa8b78-367c-11f0-beb8-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 43f8661beeb..1bdbf6c2f57 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/05/19" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Graph First Occurrence of Client Request" +name = "Microsoft Graph Request User Impersonation by Rare Client" note = """## Triage and analysis ### Investigating Microsoft Graph First Occurrence of Client Request @@ -80,12 +80,15 @@ rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd" severity = "low" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Resources: Investigation Guide", "Use Case: Identity and Access Audit", "Tactic: Initial Access", + "Platform: Azure", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_automation_account_created.toml similarity index 93% rename from rules/integrations/azure/persistence_azure_automation_account_created.toml rename to rules/integrations/azure/persistence_automation_account_created.toml index 8ee4ea7b979..ba154d144cf 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ Identifies when an Azure Automation account is created. Azure Automation account tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Account Created" @@ -62,7 +62,17 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml similarity index 94% rename from rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml rename to rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml index 3fd64612819..00eb7197f9c 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,8 +10,8 @@ description = """ Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" @@ -63,7 +63,17 @@ references = [ risk_score = 21 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_automation_webhook_created.toml similarity index 93% rename from rules/integrations/azure/persistence_azure_automation_webhook_created.toml rename to rules/integrations/azure/persistence_automation_webhook_created.toml index cb9f10e3b6a..33da4334a68 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ Identifies when an Azure Automation webhook is created. Azure Automation runbook webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Webhook Created" @@ -63,7 +63,17 @@ references = [ risk_score = 21 rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Automation", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml similarity index 81% rename from rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml rename to rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index 674ba5a966b..82dcf1c269e 100644 --- a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -10,52 +10,52 @@ description = """ Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified" +name = "Entra ID Conditional Access Policy (CAP) Modified" note = """## Triage and analysis -## Investigation Guide: Microsoft Entra ID Conditional Access Policy (CAP) Modified +## Investigating Entra ID Conditional Access Policy (CAP) Modified Azure Conditional Access Policies (CAPs) are critical for enforcing secure access requirements such as multi-factor authentication (MFA), restricting specific users or groups, and managing sign-in conditions. Modifying these policies can be a technique for weakening an organization’s defenses and maintaining persistence after initial access. This rule detects a successful update to a Conditional Access Policy in Microsoft Entra ID (formerly Azure AD). -### Possible Investigation Steps +### Possible investigation steps -- **Identify the user who modified the policy:** +- Identify the user who modified the policy: - Check the value of `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to determine the identity that made the change. - Investigate their recent activity to determine if this change was expected or authorized. -- **Review the modified policy name:** +- Review the modified policy name: - Look at `azure.auditlogs.properties.target_resources.*.display_name` to find the name of the affected policy. - Determine whether this policy is related to critical controls (e.g., requiring MFA for admins). -- **Analyze the policy change:** +- Analyze the policy change: - Compare the `old_value` and `new_value` fields under `azure.auditlogs.properties.target_resources.*.modified_properties.*`. - Look for security-reducing changes, such as: - Removing users/groups from enforcement. - Disabling MFA or risk-based conditions. - Introducing exclusions that reduce the policy’s coverage. -- **Correlate with other activity:** +- Correlate with other activity: - Pivot on `azure.auditlogs.properties.activity_datetime` to identify if any suspicious sign-ins occurred after the policy was modified. - Check for related authentication logs, particularly from the same IP address (`azure.auditlogs.properties.initiated_by.user.ipAddress`). -- **Assess the user's legitimacy:** +- Assess the user's legitimacy: - Review the initiator’s Azure role, group memberships, and whether their account was recently elevated or compromised. - Investigate whether this user has a history of modifying policies or if this is anomalous. -### Validation & False Positive Considerations +### False positive analysis -- **Authorized administrative changes:** Some organizations routinely update CAPs as part of policy tuning or role-based access reviews. -- **Security reviews or automation:** Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs. -- **Employee lifecycle events:** Policy changes during employee onboarding/offboarding may include updates to access policies. +- Authorized administrative changes: Some organizations routinely update CAPs as part of policy tuning or role-based access reviews. +- Security reviews or automation: Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs. +- Employee lifecycle events: Policy changes during employee onboarding/offboarding may include updates to access policies. If any of these cases apply and align with the activity's context, consider tuning the rule or adding exceptions for expected patterns. -### Response & Remediation +### Response and remediation - Revert unauthorized or insecure changes to the Conditional Access Policy immediately. - Temporarily increase monitoring of CAP modifications and sign-in attempts. @@ -72,13 +72,15 @@ rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml similarity index 89% rename from rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml rename to rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 4e7b23074b2..fa055d382fa 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,19 +13,19 @@ identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure AD Global Administrator Role Assigned" +name = "Entra ID Global Administrator Role Assigned" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure AD Global Administrator Role Assigned +### Investigating Entra ID Global Administrator Role Assigned -Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. +Entra ID's Global Administrator role grants comprehensive access to manage Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches. ### Possible investigation steps @@ -62,7 +62,17 @@ references = [ risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 19495680ae2..d851d6182f3 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -64,13 +64,14 @@ rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" @@ -101,4 +102,3 @@ reference = "https://attack.mitre.org/techniques/T1556/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index 8612b003fad..e0db302ebc2 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -14,10 +14,10 @@ multi-factor authentication (MFA) and unauthorized access through bring-your-own from = "now-9m" language = "esql" license = "Elastic License v2" -name = "OIDC Discovery URL Changed in Entra ID" +name = "Entra ID OIDC Discovery URL Modified" note = """## Triage and analysis -### Investigating OIDC Discovery URL Changed in Entra ID +### Investigating Entra ID OIDC Discovery URL Modified This rule detects when the OIDC `discoveryUrl` is changed within the Entra ID Authentication Methods policy. Adversaries may leverage this to federate Entra ID with a rogue Identity Provider (IdP) under their control, allowing them to authenticate users with attacker-owned credentials and bypass MFA. This misconfiguration allows an attacker to impersonate valid users by issuing tokens via a third-party OIDC IdP while still passing validation in Entra ID. This technique has been publicly demonstrated and has critical implications for trust in federated identity. @@ -45,13 +45,14 @@ rule_id = "498e4094-60e7-11f0-8847-f661ea17fbcd" severity = "high" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml similarity index 88% rename from rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml rename to rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index e81be681868..0fc41f99464 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,12 +2,12 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) +Identifies an Microsoft Entra ID Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization. @@ -20,18 +20,19 @@ false_positives = [ from the rule. """, ] -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Global Administrator Role Addition to PIM User" +name = "Entra ID Global Administrator Role Assigned (PIM User)" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Azure Global Administrator Role Addition to PIM User +### Investigating Entra ID Global Administrator Role Addition to PIM User -Azure AD's Global Administrator role grants extensive access, allowing users to modify any administrative setting. Privileged Identity Management (PIM) helps manage and monitor such access. Adversaries may exploit this by adding themselves or others to this role, gaining persistent control. The detection rule identifies suspicious role additions by monitoring specific audit logs, focusing on successful role assignments to PIM users, thus helping to flag potential unauthorized access attempts. +Entra ID's Global Administrator role grants extensive access, allowing users to modify any administrative setting. Privileged Identity Management (PIM) helps manage and monitor such access. Adversaries may exploit this by adding themselves or others to this role, gaining persistent control. The detection rule identifies suspicious role additions by monitoring specific audit logs, focusing on successful role assignments to PIM users, thus helping to flag potential unauthorized access attempts. ### Possible investigation steps @@ -69,7 +70,17 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml similarity index 86% rename from rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml rename to rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index fa292e7a474..8acaf40b729 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,26 +2,26 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/08/28" [rule] author = ["Elastic"] description = """ -Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and +Microsoft Entra ID Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Privilege Identity Management Role Modified" +name = "Entra ID Privileged Identity Management (PIM) Role Modified" note = """## Triage and analysis -### Investigating Azure Privilege Identity Management Role Modified +### Investigating Entra ID PIM Role Modified -Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. +Entra ID Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Entra ID resource roles such as Global Administrator and Application Administrator. This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings. @@ -70,10 +70,14 @@ rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index cda64192073..2ada88a55b8 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/06/24" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-azure.signinlogs-*"] interval = "30m" language = "eql" license = "Elastic License v2" -name = "Entra ID RT to PRT Transition from Same User and Device" +name = "Entra ID OAuth Primary Refresh Token (PRT) Issuance via Refresh Token (RT) Detected" note = """## Triage and analysis ### Investigating Entra ID RT to PRT Transition from Same User and Device @@ -54,14 +54,15 @@ rule_id = "40e60816-5122-11f0-9caa-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Tactic: Persistence", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/persistence_entra_service_principal_created.toml b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml similarity index 94% rename from rules/integrations/azure/persistence_entra_service_principal_created.toml rename to rules/integrations/azure/persistence_entra_id_service_principal_created.toml index 32bb180ec3a..5e1404d54f8 100644 --- a/rules/integrations/azure/persistence_entra_service_principal_created.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -23,12 +23,12 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Service Principal Created" +name = "Entra ID Service Principal Created" note = """## Triage and analysis -### Investigating Microsoft Entra ID Service Principal Created +### Investigating Entra ID Service Principal Created -Service Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant. +Service Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Entra ID make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Entra ID tenant. This rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps. @@ -76,12 +76,14 @@ This rule requires the Azure integration with Microsoft Entra ID Audit Logs data severity = "low" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml similarity index 96% rename from rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml rename to rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index c2933e331c2..c30adf14dad 100644 --- a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/05/27" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Austin Songer"] @@ -24,10 +24,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Service Principal Credentials Added by Rare User" +name = "Entra ID Service Principal Credentials Created by Rare User" note = """## Triage and analysis -### Investigating Microsoft Entra ID Service Principal Credentials Added by Rare User +### Investigating Entra ID Service Principal Credentials Added by Rare User This rule identifies the addition of new credentials (client secrets or certificates) to a Microsoft Entra ID (formerly Azure AD) service principal by a user who has not previously performed this operation in the last 10 days. Adversaries who obtain temporary or persistent access to a user account may add rogue credentials to service principals in order to maintain unauthorized access to cloud resources. @@ -62,12 +62,14 @@ rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index ae192a5b237..e9b07c5a689 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/06/13" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious ADRS Token Request by Microsoft Auth Broker" +name = "Entra ID ADRS Token Request from Microsoft Authentication Broker" note = """## Triage and analysis -### Investigating Suspicious ADRS Token Request by Microsoft Auth Broker +### Investigating Entra ID ADRS Token Request by Microsoft Auth Broker Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e) requests access to the Device Registration Service (01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9) on behalf of a user principal. The presence of the adrs_access scope in the authentication processing details suggests an attempt to access ADRS, which is atypical for standard user sign-ins. This behavior may reflect an effort to abuse device registration for unauthorized persistence, such as acquiring a Primary Refresh Token (PRT) or establishing a trusted session. @@ -57,13 +57,14 @@ rule_id = "d121f0a8-4875-11f0-bb2b-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Sign-In Logs", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index d5e9e59a5be..52685c327d5 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/06/13" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "eql" license = "Elastic License v2" -name = "Microsoft Entra ID Suspicious Cloud Device Registration" +name = "Entra ID Device Registration Detected (ROADtools)" note = """## Triage and analysis -### Investigating Microsoft Entra ID Suspicious Cloud Device Registration +### Investigating Entra ID Suspicious Cloud Device Registration This rule detects a sequence of Microsoft Entra ID audit events consistent with cloud device registration abuse via ROADtools or similar automation. The activity includes three correlated events: @@ -67,13 +67,14 @@ rule_id = "90efea04-5675-11f0-8f80-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml similarity index 90% rename from rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml rename to rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 1ef684d774f..99fe97eb233 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -11,17 +11,17 @@ Identifies when a user is added as an owner for an Azure application. An adversa for an Azure application in order to grant additional permissions and modify the application's configuration using another account. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "User Added as Owner for Azure Application" +name = "Entra ID User Added as Registered Application Owner" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating User Added as Owner for Azure Application +### Investigating Entra ID User Added as Application Owner Azure applications often require specific permissions for functionality, managed by assigning user roles. An adversary might exploit this by adding themselves or a compromised account as an owner, gaining elevated privileges to alter configurations or access sensitive data. The detection rule monitors audit logs for successful operations where a user is added as an application owner, flagging potential unauthorized privilege escalations. @@ -57,7 +57,17 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml similarity index 90% rename from rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rename to rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 51171c51de2..a5f9069e638 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ service principal object is created when an application is given permission to a adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "User Added as Owner for Azure Service Principal" +name = "Entra ID User Added as Service Principal Owner" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating User Added as Owner for Azure Service Principal +### Investigating Entra ID User Added as Service Principal Owner Azure service principals are crucial for managing application permissions within a tenant, defining access and capabilities. Adversaries may exploit this by adding themselves as owners, gaining control over application permissions and access. The detection rule monitors audit logs for successful owner additions, flagging potential unauthorized changes to maintain security integrity. @@ -62,7 +62,17 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index 5c790fe547b..9777579b650 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/06/16" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Entra ID User Signed In from Unusual Device" +name = "Entra ID User Sign-In with Rare Registered Device" note = """## Triage and analysis ### Investigating Entra ID User Signed In from Unusual Device @@ -55,13 +55,14 @@ This rule requires the Azure integration with Microsoft Entra ID Sign-In logs to severity = "low" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index 59f62c55e3f..566ba028d24 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/07/14" +updated_date = "2025/08/28" [rule] author = ["Elastic"] @@ -15,10 +15,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "External Authentication Method Addition or Modification in Entra ID" +name = "Entra ID External Authentication Methods (EAM) Modified" note = """## Triage and analysis -### Investigating External Authentication Method Addition or Modification in Entra ID +### Investigating Entra ID External Authentication Methods (EAM) Modified This rule detects suspicious modifications to external authentication methods (EAMs) in Microsoft Entra ID via Microsoft Graph API. Adversaries may abuse this capability to bypass multi-factor authentication (MFA), enabling persistence or unauthorized access through bring-your-own identity provider (BYOIDP) methods. @@ -54,13 +54,15 @@ rule_id = "42c97e6e-60c3-11f0-832a-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: Identity", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Graph", "Data Source: Microsoft Graph Activity Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence", + "Platform: Azure", + "Service: Microsoft Graph" ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 232a1364d34..4b0c6449829 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/08/28" [rule] author = ["Elastic", "Austin Songer"] @@ -18,10 +18,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Entra ID Elevated Access to User Access Administrator" +name = "Entra ID Elevated Access to User Access Administrator" note = """## Triage and Analysis -### Investigating Microsoft Entra ID Elevated Access to User Access Administrator +### Investigating Entra ID Elevated Access to User Access Administrator This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. @@ -67,12 +67,14 @@ rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml similarity index 94% rename from rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml rename to rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index c637cb21e63..e036a6cf5b2 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/28" [rule] author = ["Austin Songer"] @@ -12,11 +12,11 @@ Identifies the creation of role binding or cluster role bindings. You can assign create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. """ -from = "now-20m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Kubernetes Rolebindings Created" +name = "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created" note = """## Triage and analysis > **Disclaimer**: @@ -64,10 +64,15 @@ rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" tags = [ "Domain: Cloud", + "Domain: IAM", + "Domain: Cloud Workloads", "Data Source: Azure", + "Data Source: Azure Activity Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Platform: Azure", + "Service: Azure Kubernetes Service" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml similarity index 97% rename from rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml rename to rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml index 6ee48682bc2..d3a457376cd 100644 --- a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml +++ b/rules/integrations/o365/collection_exchange_excessive_mail_items_accessed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["o365"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Excessive Microsoft 365 Mailbox Items Accessed" +name = "Microsoft 365 Exchange Mailbox Items Accessed Excessively" note = """## Triage and analysis ### Investigating Excessive Microsoft 365 Mailbox Items Accessed @@ -71,6 +71,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml similarity index 98% rename from rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml rename to rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 0a3f55de286..13355714c18 100644 --- a/rules/integrations/o365/collection_microsoft_365_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/06/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Microsoft 365 Mail Access by Unusual ClientAppId" +name = "Microsoft 365 Exchange Mailbox Accessed by Rare Client" note = """## Triage and Analysis ### Investigating Suspicious Microsoft 365 Mail Access by Unusual ClientAppId @@ -71,6 +71,8 @@ tags = [ "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml similarity index 92% rename from rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml rename to rules/integrations/o365/collection_exchange_new_inbox_rule.toml index e10126d0a2d..428213a96d7 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_exchange_new_inbox_rule.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -18,17 +18,17 @@ false_positives = [ policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Inbox Forwarding Rule Created" +name = "Microsoft 365 Exchange Inbox Forwarding Rule Created" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Inbox Forwarding Rule Created +### Investigating M365 Exchange Inbox Forwarding Rule Created Microsoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities. @@ -59,9 +59,7 @@ Microsoft 365 allows users to create inbox rules to automate email management, s - Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes. - Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", @@ -71,7 +69,17 @@ references = [ risk_score = 47 rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Collection", + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index 37d9710d3a5..56636f80130 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,9 +18,10 @@ false_positives = [ """, ] from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" -name = "M365 OneDrive Excessive File Downloads with OAuth Token" +name = "Microsoft 365 OneDrive Excessive File Downloads with OAuth Token" note = """## Triage and Analysis ### Investigating M365 OneDrive Excessive File Downloads with OAuth Token @@ -67,14 +68,15 @@ rule_id = "0e524fa6-eed3-11ef-82b4-f661ea17fbce" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: Storage", "Data Source: Microsoft 365", - "Data Source: SharePoint", - "Data Source: OneDrive", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Exfiltration", "Resources: Investigation Guide", + "Service: OneDrive", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml similarity index 95% rename from rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml rename to rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index e2272b6936c..5df10b917fb 100644 --- a/rules/integrations/o365/credential_access_antra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ index = ["filebeat-*", "logs-o365.audit-*"] interval = "15m" language = "eql" license = "Elastic License v2" -name = "Microsoft 365 OAuth Redirect to Device Registration for User Principal" +name = "Microsoft 365 Entra ID OAuth Flow by User Sign-in to Device Registration" note = """## Triage and analysis -### Investigating Microsoft 365 OAuth Redirect to Device Registration for User Principal +### Investigating M365 Entra ID OAuth Redirect to Device Registration for User Principal ### Possible investigation steps - Review the two UserLoggedIn logs to confirm that they come from different source.ip values and are associated to the same account. @@ -52,12 +52,14 @@ rule_id = "fcd2e4be-6ec4-482f-9222-6245367cd738" severity = "high" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml similarity index 97% rename from rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml rename to rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml index 448eb30ea34..896fcc1f971 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -11,9 +11,10 @@ Detects a burst of Microsoft 365 user account lockouts within a short 5-minute w errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts. """ from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" -name = "Multiple Microsoft 365 User Account Lockouts in Short Time Window" +name = "Microsoft 365 Entra ID User Account Lockouts" note = """## Triage and Analysis ### Investigating Multiple Microsoft 365 User Account Lockouts in Short Time Window @@ -60,13 +61,15 @@ rule_id = "de67f85e-2d43-11f0-b8c9-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml similarity index 98% rename from rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml rename to rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml index 20413cd6ea4..eae08ea5944 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -21,7 +21,7 @@ from = "now-60m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Potential Microsoft 365 User Account Brute Force" +name = "Microsoft 365 Entra ID User Brute Force Attempt" note = """## Triage and Analysis ### Investigating Potential Microsoft 365 User Account Brute Force @@ -66,13 +66,15 @@ rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml similarity index 94% rename from rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml rename to rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml index a48986bf801..20f8c9737d3 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_entra_id_user_excessive_sso_logon_errors.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Austin Songer"] @@ -16,11 +16,11 @@ false_positives = [ positives. """, ] -from = "now-20m" -index = ["filebeat-*", "logs-o365*"] +from = "now-30m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Excessive Single Sign-On Logon Errors" +name = "Microsoft 365 Entra ID Excessive SSO Login Errors Reported" note = """## Triage and analysis > **Disclaimer**: @@ -57,18 +57,20 @@ Single Sign-On (SSO) in O365 streamlines user access by allowing one set of cred - Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems have been compromised. - Update and enhance monitoring rules to detect similar patterns of excessive SSO logon errors, ensuring early detection of potential brute force attempts. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml similarity index 95% rename from rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml rename to rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 9c247608297..f1c1771d7cc 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ from = "now-60m" interval = "59m" language = "esql" license = "Elastic License v2" -name = "Suspicious Microsoft 365 UserLoggedIn via OAuth Code" +name = "Microsoft 365 Entra ID OAuth Flow by Rare Client to Microsoft Graph" note = """## Triage and analysis ### Investigating Suspicious Microsoft 365 UserLoggedIn via OAuth Code @@ -48,21 +48,20 @@ references = [ ] risk_score = 73 rule_id = "36188365-f88f-4f70-8c1d-0b9554186b9c" -setup = """## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" +setup = "" severity = "high" tags = [ "Domain: Cloud", "Domain: Email", - "Domain: Identity", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Resources: Investigation Guide", "Tactic: Defense Evasion", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml similarity index 93% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml rename to rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index e0321d00408..44d15c0c45e 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,17 +16,17 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange DLP Policy Removed" +name = "Microsoft 365 Exchange DLP Policy Deleted" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Exchange DLP Policy Removed +### Investigating M365 Exchange DLP Policy Removed Data Loss Prevention (DLP) in Microsoft 365 Exchange is crucial for safeguarding sensitive information by monitoring and controlling data transfers. Adversaries may exploit this by removing DLP policies to bypass data monitoring, facilitating unauthorized data exfiltration. The detection rule identifies such actions by analyzing audit logs for specific events indicating successful DLP policy removal, thus alerting security teams to potential defense evasion tactics. @@ -56,9 +56,7 @@ Data Loss Prevention (DLP) in Microsoft 365 Exchange is crucial for safeguarding - Implement enhanced monitoring and alerting for similar events, focusing on unauthorized changes to security policies and configurations. - Review and strengthen access controls and permissions for accounts with the ability to modify DLP policies to prevent unauthorized changes in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide", @@ -68,10 +66,14 @@ rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml similarity index 91% rename from rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml rename to rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 0499a78aa9c..588a57a018c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,17 +16,17 @@ Attackers can abuse this allowlist mechanism to conceal actions taken, as the ma the account. """ false_positives = ["Legitimate allowlisting of noisy accounts"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Mailbox Audit Logging Bypass" +name = "Microsoft 365 Exchange Mailbox Audit Logging Bypass Added" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating O365 Mailbox Audit Logging Bypass +### Investigating M365 Exchange Mailbox Audit Logging Bypass In Microsoft 365 environments, mailbox audit logging is crucial for tracking user activities like accessing or deleting emails. However, administrators can exempt certain accounts from logging to reduce noise, which attackers might exploit to hide their actions. The detection rule identifies successful attempts to create such exemptions, signaling potential misuse of this bypass mechanism. @@ -57,14 +57,22 @@ In Microsoft 365 environments, mailbox audit logging is crucial for tracking use - Implement additional monitoring for similar bypass attempts to enhance detection capabilities and prevent recurrence. - Consider escalating the incident to a higher security tier or external cybersecurity experts if the scope of the breach is extensive or if internal resources are insufficient to handle the threat. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml similarity index 95% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rename to rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index a227d788063..51b0d0c1039 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,11 +17,11 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Malware Filter Policy Deletion" +name = "Microsoft 365 Exchange Malware Filter Policy Deleted" note = """## Triage and analysis > **Disclaimer**: @@ -58,9 +58,7 @@ Microsoft 365 Exchange uses malware filter policies to detect and alert administ - Implement additional monitoring on the affected account and related systems to detect any further suspicious activities or attempts to bypass security measures. - Review and update security policies and configurations to ensure they are robust against similar evasion tactics in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps", ] @@ -69,10 +67,14 @@ rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml similarity index 95% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml rename to rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index b89dff6f8b3..5d176999ace 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,11 +16,11 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Malware Filter Rule Modification" +name = "Microsoft 365 Exchange Malware Filter Rule Modified" note = """## Triage and analysis > **Disclaimer**: @@ -56,9 +56,7 @@ Microsoft 365 Exchange uses malware filter rules to protect email systems by ide - Review and update access controls and permissions for administrative actions within Microsoft 365 to limit the ability to modify security configurations to only essential personnel. - Document the incident, including actions taken and lessons learned, to improve future response efforts and update incident response plans accordingly. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps", @@ -68,10 +66,14 @@ rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml similarity index 96% rename from rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml rename to rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index ad4b52badf0..01a28c9a202 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Jamie Lee"] @@ -17,10 +17,10 @@ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails" +name = "Microsoft 365 Exchange Inbox Phishing Evasion Rule Created" note = """## Triage and Analysis -### Investigating Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails +### Investigating M365 Exchange Suspicious Inbox Rule to Delete or Move Emails This detection identifies the creation of potentially malicious inbox rules in Microsoft 365. These rules automatically delete or move emails with specific keywords such as "invoice", "payment", "security", or "phish". Adversaries often use these rules post-compromise to conceal warning emails, alerts from security tools, or responses from help desk teams, thereby evading detection and maintaining access. @@ -71,13 +71,14 @@ rule_id = "40fe11c2-376e-11f0-9a82-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Domain: Email", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml similarity index 95% rename from rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml rename to rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 2e79b68f418..b4c4e8c88af 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,11 +17,11 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" +name = "Microsoft 365 Exchange Email Safe Attachment Rule Disabled" note = """## Triage and analysis > **Disclaimer**: @@ -57,9 +57,7 @@ Microsoft 365's Safe Attachment feature enhances security by analyzing email att - Review and update access controls and permissions to ensure that only authorized personnel can modify security rules and configurations. - Conduct a post-incident analysis to identify the root cause and implement measures to prevent similar incidents, such as enhancing alerting mechanisms for critical security rule changes. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps", ] @@ -68,10 +66,14 @@ rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml similarity index 91% rename from rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index d40aaa34cf5..4382b198471 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,11 +17,11 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Transport Rule Creation" +name = "Microsoft 365 Exchange Mail Flow Transport Rule Created" note = """## Triage and analysis > **Disclaimer**: @@ -57,9 +57,7 @@ Microsoft 365 Exchange transport rules automate email handling, applying actions - Escalate the incident to the incident response team if there is evidence of a broader compromise or if sensitive data has been exfiltrated. - Implement enhanced monitoring and alerting for transport rule changes to detect and respond to similar threats more effectively in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", @@ -67,7 +65,17 @@ references = [ risk_score = 47 rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml similarity index 92% rename from rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml rename to rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index 9700f5fb32d..4893815164f 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,11 +17,11 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Transport Rule Modification" +name = "Microsoft 365 Exchange Mail Flow Transport Rule Modified" note = """## Triage and analysis > **Disclaimer**: @@ -57,9 +57,7 @@ Microsoft 365 Exchange transport rules manage email flow by setting conditions a - Coordinate with legal and compliance teams to determine if any regulatory reporting is required due to potential data exfiltration. - Enhance security measures by enabling multi-factor authentication (MFA) for all administrative accounts and reviewing access permissions to ensure the principle of least privilege is enforced. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", @@ -68,7 +66,17 @@ references = [ risk_score = 47 rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml similarity index 89% rename from rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml rename to rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml index 9bc31aa1bd6..8c73a0c8b5c 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_security_compliance_mass_download_by_a_single_user.toml @@ -2,23 +2,23 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] description = "Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute." false_positives = ["Unknown"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Mass download by a single user" +name = "Microsoft 365 Security Compliance Mass Download by a Single User" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Mass download by a single user +### Investigating Microsoft 365 Security Compliance Mass Download by a Single User Microsoft 365 provides cloud-based productivity tools, enabling users to access and download data efficiently. However, adversaries can exploit this by performing mass downloads to exfiltrate sensitive information. The detection rule identifies suspicious activity by flagging instances where a user downloads an unusually high volume of data in a short period, indicating potential data exfiltration attempts. This helps security analysts quickly respond to and mitigate potential threats. @@ -48,9 +48,6 @@ Microsoft 365 provides cloud-based productivity tools, enabling users to access - Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activities. - Review and update access controls and data download policies to prevent similar incidents in the future, ensuring that only necessary permissions are granted to users. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -59,7 +56,17 @@ references = [ risk_score = 47 rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml similarity index 90% rename from rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml rename to rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 58c441f2a04..5f82fabc8ff 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -16,17 +16,17 @@ false_positives = [ represent an adverse encryption process. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Potential ransomware activity" +name = "Microsoft 365 Security Compliance Potential Ransomware Activity" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Potential ransomware activity +### Investigating Microsoft 365 Security Compliance Potential Ransomware Activity Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics. @@ -58,9 +58,6 @@ Microsoft 365's cloud services can be exploited by adversaries to distribute ran - Review and update access controls and permissions for the affected user and related accounts to minimize the risk of future incidents. - Escalate the incident to senior security management and, if necessary, involve legal or compliance teams to assess any regulatory implications. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -69,7 +66,16 @@ references = [ risk_score = 47 rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml similarity index 90% rename from rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml rename to rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml index 4d93834da53..a28d2cd0db5 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_security_compliance_unusual_volume_of_file_deletion.toml @@ -2,23 +2,23 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security." false_positives = ["Users or System Administrator cleaning out folders."] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Unusual Volume of File Deletion" +name = "Microsoft 365 Security Compliance Unusual Volume of File Deletion" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Unusual Volume of File Deletion +### Investigating Microsoft 365 Security Compliance Unusual Volume of File Deletion Microsoft 365's cloud environment facilitates file storage and collaboration, but its vast data handling capabilities can be exploited by adversaries for data destruction. Attackers may delete large volumes of files to disrupt operations or cover their tracks. The detection rule leverages audit logs to identify anomalies in file deletion activities, flagging successful, unusual deletion volumes as potential security incidents, thus enabling timely investigation and response. @@ -49,9 +49,6 @@ Microsoft 365's cloud environment facilitates file storage and collaboration, bu - Review and update access controls and permissions to ensure that users have the minimum necessary access to perform their job functions, reducing the risk of large-scale deletions. - Coordinate with the IT and security teams to conduct a post-incident review, identifying any gaps in the response process and implementing improvements to prevent recurrence. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -60,7 +57,17 @@ references = [ risk_score = 47 rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml index 9b885eab6ea..590a8351884 100644 --- a/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml +++ b/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" max_signals = 1000 -name = "M365 Threat Intelligence Signal" +name = "Microsoft 365 Threat Intelligence Signal" note = """## Triage and analysis > **Disclaimer**: @@ -73,14 +73,13 @@ For information on troubleshooting the maximum alerts warning please refer to th severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", - "Data Source: Microsoft Defender", - "Data Source: Microsoft Defender Threat Intelligence", "Use Case: Threat Detection", "Tactic: Initial Access", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Microsoft Threat Intelligence", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml rename to rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index e18f124d09c..7d88cdd2568 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -14,10 +14,10 @@ via a pre-made phishing URL. This establishes an OAuth grant that allows the mal resources in Microsoft 365 on-behalf-of the user. """ from = "now-9m" -index = ["filebeat-*", "logs-o365**"] +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Illicit Consent Grant via Registered Application" +name = "Microsoft 365 Entra ID OAuth Illicit Consent Grant by Rare Client and User" note = """## Triage and analysis ### Investigating Microsoft 365 Illicit Consent Grant via Registered Application @@ -81,12 +81,15 @@ rule_id = "0c3c80de-08c2-11f0-bd11-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", "Tactic: Credential Access", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" @@ -141,7 +144,7 @@ field_names = [ "o365.audit.Target.Type", "o365.audit.ModifiedProperties.ConsentAction_Reason.NewValue", "o365.audit.ExtendedProperties.additionalDetails", - "cloud.region" + "cloud.region", ] [rule.new_terms] diff --git a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml rename to rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml index f1a46b3488b..42caca302ea 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/o365/initial_access_entra_id_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/04/30" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -15,11 +15,11 @@ redirect location, prompting victims to return an OAuth authorization code that rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 OAuth Phishing via Visual Studio Code Client" +name = "Microsoft 365 Entra ID OAuth Flow by Visual Studio Code Client to Microsoft Graph" note = """## Triage and analysis ### Investigating Microsoft 365 OAuth Phishing via Visual Studio Code Client @@ -69,12 +69,14 @@ rule_id = "929d0766-204b-11f0-9c1f-f661ea17fbcd" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml index bb24bb3c565..fd18eecba21 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml @@ -23,7 +23,7 @@ from = "now-15m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Portal Login (Atypical Travel)" +name = "Microsoft 365 Entra ID Portal Login (Atypical Travel)" note = """## Triage and analysis ### Investigating M365 Portal Login (Atypical Travel) @@ -57,13 +57,15 @@ rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index 99451411942..c40a6c2a938 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -22,7 +22,7 @@ from = "now-15m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "M365 Portal Login (Impossible Travel)" +name = "Microsoft 365 Entra ID Portal Login (Impossible Travel)" note = """## Triage and analysis ### Investigating M365 Portal Login (Impossible Travel) @@ -56,13 +56,15 @@ rule_id = "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml rename to rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml index 103daf24184..b1170eda4ea 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" @@ -58,9 +58,7 @@ Microsoft 365's anti-phishing policies enhance security by fine-tuning detection - Escalate the incident to the incident response team if there is evidence of broader compromise or if sensitive data has been accessed. - Implement enhanced monitoring and alerting for similar actions in the future to quickly detect and respond to any further attempts to delete security policies. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", @@ -70,10 +68,14 @@ rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml similarity index 96% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml rename to rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml index c49431ca1fc..759d19147e4 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_exchange_anti_phish_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" @@ -58,9 +58,7 @@ Microsoft 365's anti-phishing rules are crucial for safeguarding users against p - Implement enhanced monitoring and alerting for any further attempts to modify anti-phishing rules, ensuring that similar activities are detected promptly. - Review and update access controls and permissions for administrative actions within Microsoft 365 to ensure that only authorized personnel can modify security settings. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps", @@ -70,10 +68,14 @@ rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml similarity index 95% rename from rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rename to rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml index 31acdfec8b3..af598b67713 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,11 +16,11 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Safe Link Policy Disabled" +name = "Microsoft 365 Exchange Email Safe Link Policy Disabled" note = """## Triage and analysis > **Disclaimer**: @@ -56,9 +56,7 @@ Microsoft 365's Safe Link policies enhance security by scanning hyperlinks in do - Implement additional monitoring and alerting for changes to Safe Link policies to ensure rapid detection of any future unauthorized modifications. - Review and update access controls and permissions related to Safe Link policy management to ensure only authorized personnel can make changes. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide", @@ -68,10 +66,14 @@ rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml similarity index 90% rename from rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml rename to rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml index ee3bc044b9e..aed7e005be3 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_security_compliance_impossible_travel_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -11,17 +11,17 @@ Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt impossible travel. """ false_positives = ["User using a VPN may lead to false positives."] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Impossible travel activity" +name = "Microsoft 365 Security Compliance Impossible Travel Activity" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Impossible travel activity +### Investigating Microsoft 365 Security Compliance Impossible Travel Activity Microsoft 365's security features monitor user sign-ins to detect anomalies like impossible travel, where a user appears to log in from geographically distant locations in a short time. Adversaries may exploit compromised credentials to access accounts from unexpected locations. The detection rule identifies such suspicious logins by analyzing audit logs for successful sign-ins flagged as impossible travel, helping to mitigate unauthorized access. @@ -62,19 +62,26 @@ This rule is no longer applicable based on changes to Microsoft Defender for Off Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy """ -setup = """ -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", ] risk_score = 47 rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d" +setup = "" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: IAM", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft Entra ID", + "Platform: Microsoft 365" +] timestamp_override = "event.ingested" type = "query" @@ -95,3 +102,4 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml similarity index 92% rename from rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml rename to rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml index b22dc87b3e8..377504580ab 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,11 +13,11 @@ malicious message. Educating users to report suspicious messages can help identi malware infections and Business Email Compromise attacks. """ false_positives = ["Legitimate files reported by the users"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "O365 Email Reported by User as Malware or Phish" +name = "Microsoft 365 Security Compliance Email Reported by User as Malware or Phish" note = """## Triage and analysis > **Disclaimer**: @@ -54,16 +54,23 @@ Microsoft 365's email services are integral to business communication, but they - Review and update email filtering and security policies to address any identified gaps that allowed the malicious email to bypass existing controls. - Monitor for any further suspicious activity related to the incident, using enhanced logging and alerting mechanisms to detect similar threats in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us", ] risk_score = 47 rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Tactic: Initial Access", + "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml similarity index 94% rename from rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml rename to rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml index 60a023e9999..ab68c29aef9 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_security_compliance_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] @@ -11,11 +11,11 @@ Identifies when a user has been restricted from sending email due to exceeding s per the Security Compliance Center. """ false_positives = ["A user sending emails using personal distribution folders may trigger the event."] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 User Restricted from Sending Email" +name = "Microsoft 365 Security Compliance User Restricted from Sending Email" note = """## Triage and analysis > **Disclaimer**: @@ -51,9 +51,6 @@ Microsoft 365 enforces email sending limits to prevent abuse and ensure service - Implement additional email filtering rules to block similar phishing or spam patterns identified in the incident to prevent recurrence. - Update and enhance detection rules and monitoring to quickly identify and respond to similar threats in the future, leveraging insights from the current incident. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = [ "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", @@ -64,10 +61,14 @@ rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" tags = [ "Domain: Cloud", + "Domain: Email", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + "Service: Security and Compliance Center", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml similarity index 91% rename from rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml rename to rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml index 560e67b7a90..2d6344b66bd 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_onedrive_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ Users can inadvertently share these files without knowing their maliciousness, g initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "OneDrive Malware File Upload" +name = "Microsoft 365 OneDrive Malware File Upload" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating OneDrive Malware File Upload +### Investigating M365 OneDrive Malware File Upload OneDrive, a cloud storage service, facilitates file sharing and collaboration within organizations. However, adversaries can exploit this by uploading malware, which can spread across shared environments, leading to lateral movement within a network. The detection rule identifies such threats by monitoring OneDrive activities for malware detection events, focusing on file operations flagged by Microsoft's security engine. This proactive approach helps in identifying and mitigating potential breaches. @@ -55,16 +55,25 @@ OneDrive, a cloud storage service, facilitates file sharing and collaboration wi - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if any lateral movement or additional compromise has occurred. - Implement enhanced monitoring and alerting for similar OneDrive activities to quickly detect and respond to any future malware uploads or related threats. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] risk_score = 73 rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Service: SharePoint", + "Service: OneDrive", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml similarity index 92% rename from rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml rename to rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml index 1ddff70548b..72602fb1bae 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_sharepoint_malware_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -13,17 +13,17 @@ access. Users can inadvertently share these files without knowing their maliciou to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "SharePoint Malware File Upload" +name = "Microsoft 365 SharePoint Malware File Detected" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating SharePoint Malware File Upload +### Investigating M365 SharePoint Malware File Upload SharePoint, a collaborative platform, facilitates file sharing and storage within organizations. Adversaries exploit this by uploading malware, leveraging the platform's sharing capabilities to propagate threats laterally. The detection rule identifies when SharePoint's file scanning engine flags an upload as malicious, focusing on specific audit events to alert security teams of potential lateral movement threats. @@ -54,16 +54,24 @@ SharePoint, a collaborative platform, facilitates file sharing and storage withi - Escalate the incident to the incident response team if there are signs of lateral movement or if the malware has spread to other parts of the network, following the organization's escalation protocols. - Implement enhanced monitoring and logging for SharePoint and related services to detect any future attempts to upload or share malicious files, leveraging the specific query fields used in the detection rule. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide", ] risk_score = 73 rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74" severity = "high" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Storage", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Service: SharePoint", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml similarity index 88% rename from rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml rename to rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 4023be111e5..3d445cb77dd 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,22 +2,22 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/05/21" +updated_date = "2025/08/29" [rule] author = ["Elastic"] description = """ -In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator -is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID -identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and -Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all -subscriptions and their settings and resources. +In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company +Administrator is a role that enables users to have access to all administrative features in Entra ID and services that +use Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, +SharePoint Online, and Skype for Business Online. Adversaries can add users as Global Administrators to maintain access +and manage all subscriptions and their settings and resources. """ from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Global Administrator Role Assigned" +name = "Microsoft 365 Entra ID Global Administrator Role Assigned" note = """## Triage and Analysis ### Investigating Microsoft 365 Global Administrator Role Assigned @@ -51,23 +51,24 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative - Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles. - Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups. """ - references = [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", "https://learn.microsoft.com/en-us/purview/audit-log-activities", - "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231" + "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231", ] risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: IAM", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Platform: Microsoft 365", + "Platform: Microsoft Entra ID", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml similarity index 94% rename from rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml rename to rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml index 94caa0432f1..c7abfcd81f9 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" @@ -58,16 +58,23 @@ DomainKeys Identified Mail (DKIM) is a security protocol that ensures email auth - Escalate the incident to the organization's incident response team for further investigation and to determine if any additional security measures are necessary. - Consider implementing additional email security measures, such as SPF and DMARC, to complement DKIM and enhance overall email security posture. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps", ] risk_score = 47 rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml similarity index 94% rename from rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml rename to rules/integrations/o365/persistence_exchange_management_role_assignment.toml index ddd4196f61a..0d751e756ce 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,11 +16,11 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Exchange Management Group Role Assignment" +name = "Microsoft 365 Exchange Management Group Role Assigned" note = """## Triage and analysis > **Disclaimer**: @@ -57,9 +57,7 @@ Microsoft 365 Exchange Management roles define permissions for managing Exchange - Review and update access control policies to ensure that only authorized personnel can assign management roles in Microsoft 365. - Consider conducting a security awareness session for administrators to reinforce the importance of monitoring and managing role assignments securely. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", @@ -69,10 +67,14 @@ rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" tags = [ "Domain: Cloud", + "Domain: IAM", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 910bb0a982a..ff59c320b14 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/05/07" +updated_date = "2025/08/29" [rule] author = ["Elastic", "Austin Songer"] @@ -13,15 +13,16 @@ evade spam/phishing detection mechanisms. """ false_positives = [ "Assignment of rights to a service account.", - "Delegation by first-party applications that require mailbox access." + "Delegation by first-party applications that require mailbox access.", ] +from = "now-9m" index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Suspicious Mailbox Permission Delegation in Exchange Online" +name = "Microsoft 365 Exchange Mailbox High-Risk Permission Delegated" note = """## Triage and Analysis -### Investigating Suspicious Mailbox Permission Delegation in Exchange Online +### Investigating M365 Exchange Suspicious Mailbox Permission Delegation This rule detects the delegation of mailbox permissions in Microsoft 365 Exchange. This behavior may indicate that an adversary is attempting to gain access to another user's mailbox or send messages on behalf of that user. @@ -68,20 +69,21 @@ If the delegation is determined to be unauthorized or suspicious: - Harden delegation policies by requiring approvals, limiting delegation to specific groups, or implementing Just-in-Time (JIT) access for mailboxes. """ references = [ - "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide" + "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide", ] risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" tags = [ "Domain: Cloud", - "Domain: SaaS", + "Domain: Email", "Data Source: Microsoft 365", - "Data Source: Microsoft Exchange", "Data Source: Microsoft 365 Audit Logs", "Use Case: Configuration Audit", "Tactic: Persistence", - "Resources: Investigation Guide" + "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "new_terms" @@ -103,16 +105,6 @@ not user.id:( ) ''' -[rule.investigation_fields] -field_names = [ - "@timestamp", - "o365.audit.ObjectId", - "o365.audit.Parameters.Identity", - "user.id", - "source.ip", - "user_agent.original", - "event.action", -] [[rule.threat]] framework = "MITRE ATT&CK" @@ -132,9 +124,22 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[rule.investigation_fields] +field_names = [ + "@timestamp", + "o365.audit.ObjectId", + "o365.audit.Parameters.Identity", + "user.id", + "source.ip", + "user_agent.original", + "event.action", +] + [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml similarity index 91% rename from rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml rename to rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml index bd6226b4864..42011489c5e 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,17 +17,17 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft 365 Teams Custom Application Interaction Allowed" +name = "Microsoft 365 Teams Custom Application Interaction Enabled" note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Microsoft 365 Teams Custom Application Interaction Allowed +### Investigating M365 Teams Custom Application Interaction Allowed Microsoft Teams allows organizations to enhance functionality by integrating custom applications, which can be developed and uploaded beyond the standard app store offerings. While beneficial for tailored solutions, this capability can be exploited by adversaries to maintain unauthorized access. The detection rule monitors changes in tenant settings that permit custom app interactions, flagging successful modifications as potential persistence threats. @@ -59,14 +59,22 @@ Microsoft Teams allows organizations to enhance functionality by integrating cus - Implement additional monitoring and alerting for changes to Microsoft Teams settings to quickly detect and respond to similar threats in the future. - Review and update the organization's security policies and procedures regarding the use of custom applications in Microsoft Teams to ensure they align with best practices and mitigate the risk of similar incidents. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_teams_external_access_enabled.toml similarity index 92% rename from rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml rename to rules/integrations/o365/persistence_teams_external_access_enabled.toml index df7c20b913f..3df3cb31334 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" @@ -58,14 +58,23 @@ Microsoft Teams' external access feature allows users to communicate with indivi - Escalate the incident to the incident response team if there is evidence of data exfiltration or if the scope of the breach is unclear. - Implement enhanced monitoring and alerting for changes in Teams federation settings to detect similar threats in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Domain: IAM", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml similarity index 92% rename from rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml rename to rules/integrations/o365/persistence_teams_guest_access_enabled.toml index 1126bc7afa0..00350684615 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" @@ -56,16 +56,25 @@ Microsoft Teams allows organizations to collaborate with external users through - Escalate the incident to the organization's incident response team for a comprehensive investigation and to determine if further containment actions are necessary. - Review and update access control policies to ensure that enabling guest access requires appropriate authorization and oversight. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps", ] risk_score = 47 rule_id = "5e552599-ddec-4e14-bad1-28aa42404388" severity = "medium" -tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Domain: Cloud", + "Domain: Application", + "Domain: IAM", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Service: Microsoft Teams", + "Platform: Microsoft 365", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml similarity index 94% rename from rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml rename to rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 956e2da3b51..3241eec8117 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,18 +2,19 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/08/29" [rule] author = ["Austin Songer"] description = """ -Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external +Identifies a new or modified federation domain, which can be used to create a trust between M365 and an external identity provider. """ -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["filebeat-*", "logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" -name = "New or Modified Federation Domain" +name = "Microsoft 365 Exchange Federated Domain Created or Modified" note = """## Triage and analysis > **Disclaimer**: @@ -50,9 +51,7 @@ Federation domains enable trust between Office 365 and external identity provide - Communicate with affected stakeholders and provide guidance on any immediate actions they need to take, such as password resets or additional authentication steps. - Review and update federation domain policies and configurations to ensure they align with best practices and reduce the risk of similar incidents in the future. -## Setup - -The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", @@ -66,10 +65,15 @@ rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" tags = [ "Domain: Cloud", + "Domain: Email", + "Domain: IAM", "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Resources: Investigation Guide", + "Service: Exchange", + "Platform: Microsoft 365", ] timestamp_override = "event.ingested" type = "query"