diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 615a5b47f01..6a87378f28a 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -19,8 +19,8 @@ false_positives = [ rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Full Network Packet Capture Detected" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 7868c9b8f48..8a88cceeb2f 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ or locations should be investigated. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index 64091a7a4b4..101fb169f41 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -10,8 +10,8 @@ description = """ Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Deleted" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 1cc74712800..5a1294e7a65 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -17,7 +17,8 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Blob Permissions Modification" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index c8cc16fb787..ae8cb40322a 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Diagnostic Settings Deletion" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index dfe015d92f0..54dcf6f5447 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Deletion" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index 65b04a55d49..659abcd7089 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Firewall Policy Deletion" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 98b13b7e534..fdb6e86d150 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/01" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Austin Songer"] @@ -19,8 +19,8 @@ false_positives = [ is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 41d53464d9d..cb4039ba65b 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -18,8 +18,8 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Events Deleted" diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index df552106b54..8ede33b29b2 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Network Watcher Deletion" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 66bcb23efcf..33133ba71ba 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -18,8 +18,8 @@ false_positives = [ should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Alert Suppression Rule Created or Modified" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 9bcee0ccb9e..55ec8eb4d50 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Blob Container Access Level Modification" diff --git a/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml index 51323a2db89..cc1543af328 100644 --- a/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -10,8 +10,8 @@ description = """ Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index b6262d8735f..ba5780f2239 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -20,8 +20,8 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Command Execution on Virtual Machine" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 74ded59c560..6badbeb8f3e 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Austin Songer"] @@ -17,8 +17,8 @@ false_positives = [ behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Pods Deleted" diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 9a3bd20a8cc..f04a52593d5 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -19,8 +19,8 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Resource Group Deletion" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 008456880d6..cc0023d3a6f 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Austin Songer"] @@ -10,8 +10,8 @@ description = """ Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.signinlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory High Risk User Sign-in Heuristic" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 5546372959c..58320da8210 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.signinlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory PowerShell Sign-in" diff --git a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml index 90f15f91401..2957e61e3d0 100644 --- a/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ accomplished by tricking a user into granting consent to the application, typica establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user. """ from = "now-9m" -index = ["logs-azure*"] +index = ["logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Entra ID Illicit Consent Grant via Registered Application" diff --git a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml index f6686971a5f..0c202b8a455 100644 --- a/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml +++ b/rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ Insiders redirect location, prompting victims to return an OAuth authorization c tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or credential phishing activity. """ -from = "now-25m" +from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" diff --git a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml index 690977b93b0..f179347f713 100644 --- a/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ indicate an attempt to bypass conditional access policies (CAP) and multi-factor app ID specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" name = "Azure Entra ID Rare App ID for Principal Authentication" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index d78d3c2067f..500ea8310e4 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -19,8 +19,8 @@ false_positives = [ hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure External Guest User Invitation" diff --git a/rules/integrations/azure/persistence_azure_application_credential_modification.toml b/rules/integrations/azure/persistence_azure_application_credential_modification.toml index 615d8f3bda1..ba53cf37167 100644 --- a/rules/integrations/azure/persistence_azure_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_azure_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -20,8 +20,8 @@ false_positives = [ from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Application Credential Modification" diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 8ee4ea7b979..4e900d91a47 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ Identifies when an Azure Automation account is created. Azure Automation account tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Account Created" diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index c9fe10a5b40..248fba9c8ee 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ Identifies when an Azure Automation webhook is created. Azure Automation runbook webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Webhook Created" diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 6275dcf8763..18286910267 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2025/09/26" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index ba064465ed3..44795b883b1 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ from the rule. """, ] -index = ["filebeat-*", "logs-azure*"] +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Global Administrator Role Addition to PIM User" diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 4900b86c812..92c1be58ff5 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -12,8 +12,8 @@ monitor access to important resources in an organization. PIM can be used to man such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Privilege Identity Management Role Modified" diff --git a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml index 674ba5a966b..a5b45d0fffa 100644 --- a/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/03/24" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified" diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml index 8612b003fad..b2d9420100a 100644 --- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml +++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/07/31" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -12,6 +12,7 @@ may indicate an attempt to federate Entra ID with an attacker-controlled identit multi-factor authentication (MFA) and unauthorized access through bring-your-own IdP (BYOIDP) methods. """ from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" name = "OIDC Discovery URL Changed in Entra ID" diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index 75718ef6ecc..c182f9aecb4 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies sequence of events where a Microsoft Entra ID protection alert is followed by an attempt to register a new device by the same user principal. This behavior may indicate an adversary using a compromised account to register a device, potentially leading to unauthorized access to resources or persistence in the environment. """ from = "now-9m" -index = ["logs-azure*"] +index = ["logs-azure.identity_protection-*", "logs-azure.auditlogs-*"] language = "eql" license = "Elastic License v2" name = "Microsoft Entra ID Protection Alert and Device Registration" diff --git a/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml b/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml index 345756c0cb2..8e2d37e82cf 100644 --- a/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/persistence_update_event_hub_auth_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -20,8 +20,8 @@ false_positives = [ positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index e11f9805010..06586396bad 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ Identifies when a user is added as an owner for an Azure application. An adversa for an Azure application in order to grant additional permissions and modify the application's configuration using another account. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Application" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 26c05f7bc2a..f70a5d3b6b7 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -13,8 +13,8 @@ service principal object is created when an application is given permission to a adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant. """ -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.auditlogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Service Principal" diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index e249506ecb2..408ba4880c4 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Austin Songer"] @@ -12,8 +12,8 @@ Identifies the creation of role binding or cluster role bindings. You can assign create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles. """ -from = "now-20m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["logs-azure.activitylogs-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Rolebindings Created" diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index e10126d0a2d..d2f9a375c79 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/29" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -18,8 +18,8 @@ false_positives = [ policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Inbox Forwarding Rule Created" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index 37d9710d3a5..90f37ea4576 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2025/07/16" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ false_positives = [ """, ] from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" name = "M365 OneDrive Excessive File Downloads with OAuth Token" diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml index 63b7a77432b..c7e0fa5da6a 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -11,6 +11,7 @@ Detects a burst of Microsoft 365 user account lockouts within a short 5-minute w errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts. """ from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" name = "Multiple Microsoft 365 User Account Lockouts in Short Time Window" diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index a48986bf801..f511dc9e4a7 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic", "Austin Songer"] @@ -16,8 +16,8 @@ false_positives = [ positives. """, ] -from = "now-20m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "O365 Excessive Single Sign-On Logon Errors" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml index bde99c06e12..acb20c1c198 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml index 390b6acf4af..3fc48d39708 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml index 1ccb9aaf06f..0a2a4beeef7 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -18,8 +18,8 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index e0321d00408..d5e1083e4e6 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index a227d788063..4d836f3e117 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index b89dff6f8b3..79b64b231c6 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 2e79b68f418..12d720af219 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml index 69f8c6c4073..5bfd1f880b6 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index dce13781d53..5d38ed18549 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ Attackers can abuse this allowlist mechanism to conceal actions taken, as the ma the account. """ false_positives = ["Legitimate allowlisting of noisy accounts"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "O365 Mailbox Audit Logging Bypass" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml index 52d47e15381..da9c9dbb909 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml index 3a141c6f96e..ee006ed372e 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index d40aaa34cf5..cf35e212f2f 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index 9700f5fb32d..394b20f0e86 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -17,8 +17,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 58c441f2a04..8cbb99d4fdd 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -16,8 +16,8 @@ false_positives = [ represent an adverse encryption process. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Potential ransomware activity" diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 4d93834da53..cccf432b3a3 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -2,14 +2,14 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security." false_positives = ["Users or System Administrator cleaning out folders."] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Unusual Volume of File Deletion" diff --git a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml index f0b1a70874d..a3ac7c54f45 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ via a pre-made phishing URL. This establishes an OAuth grant that allows the mal resources in Microsoft 365 on-behalf-of the user. """ from = "now-9m" -index = ["logs-o365**"] +index = ["logs-o365.audit-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Illicit Consent Grant via Registered Application" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 486a76585c0..71ba32be451 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Austin Songer"] @@ -11,8 +11,8 @@ Identifies when a user has been restricted from sending email due to exceeding s per the Security Compliance Center. """ false_positives = ["A user sending emails using personal distribution folders may trigger the event."] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 User Restricted from Sending Email" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index b22dc87b3e8..836528e8658 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/12" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -13,8 +13,8 @@ malicious message. Educating users to report suspicious messages can help identi malware infections and Business Email Compromise attacks. """ false_positives = ["Legitimate files reported by the users"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "O365 Email Reported by User as Malware or Phish" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 9db0c647094..b09969996f1 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -13,8 +13,8 @@ Users can inadvertently share these files without knowing their maliciousness, g initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "OneDrive Malware File Upload" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 93ba7eb120e..76d1ad4fafc 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/10" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -13,8 +13,8 @@ access. Users can inadvertently share these files without knowing their maliciou to gain initial access to other endpoints in the environment. """ false_positives = ["Benign files can trigger signatures in the built-in virus protection"] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "SharePoint Malware File Upload" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 7263b6f9dad..af290642ec2 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/09/26" +updated_date = "2025/09/30" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ change was expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 1126bc7afa0..4e9942bee5e 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Elastic"] @@ -16,8 +16,8 @@ false_positives = [ expected. Exceptions can be added to this rule to filter expected behavior. """, ] -from = "now-30m" -index = ["filebeat-*", "logs-o365*"] +from = "now-9m" +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 956e2da3b51..d2b54ec81bc 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/09/26" [rule] author = ["Austin Songer"] @@ -10,7 +10,7 @@ description = """ Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. """ -index = ["filebeat-*", "logs-o365*"] +index = ["logs-o365.audit-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "New or Modified Federation Domain"