packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json

{
    "attributes": {
        "author": [
            "Elastic"
        ],
        "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
        "false_positives": [
            "A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
        ],
        "from": "now-30m",
        "index": [
            "filebeat-*",
            "logs-o365*"
        ],
        "language": "kuery",
        "license": "Elastic License v2",
        "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
        "note": "",
        "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
        "references": [
            "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
        ],
        "related_integrations": [
            {
                "package": "o365",
                "version": "^2.0.0"
            }
        ],
        "required_fields": [
            {
                "ecs": true,
                "name": "event.action",
                "type": "keyword"
            },
            {
                "ecs": true,
                "name": "event.category",
                "type": "keyword"
            },
            {
                "ecs": true,
                "name": "event.dataset",
                "type": "keyword"
            },
            {
                "ecs": true,
                "name": "event.outcome",
                "type": "keyword"
            },
            {
                "ecs": true,
                "name": "event.provider",
                "type": "keyword"
            }
        ],
        "risk_score": 21,
        "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
        "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
        "severity": "low",
        "tags": [
            "Domain: Cloud",
            "Data Source: Microsoft 365",
            "Use Case: Configuration Audit",
            "Tactic: Defense Evasion"
        ],
        "threat": [
            {
                "framework": "MITRE ATT&CK",
                "tactic": {
                    "id": "TA0005",
                    "name": "Defense Evasion",
                    "reference": "https://attack.mitre.org/tactics/TA0005/"
                },
                "technique": [
                    {
                        "id": "T1562",
                        "name": "Impair Defenses",
                        "reference": "https://attack.mitre.org/techniques/T1562/"
                    }
                ]
            }
        ],
        "timestamp_override": "event.ingested",
        "type": "query",
        "version": 103
    },
    "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103",
    "type": "security-rule"
}