-
Notifications
You must be signed in to change notification settings - Fork 376
/
03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json
89 lines (89 loc) · 3.27 KB
/
03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
{
"attributes": {
"author": [
"Elastic"
],
"description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.",
"false_positives": [
"A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."
],
"from": "now-30m",
"index": [
"filebeat-*",
"logs-o365*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"note": "",
"query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n",
"references": [
"https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"
],
"related_integrations": [
{
"package": "o365",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "event.dataset",
"type": "keyword"
},
{
"ecs": true,
"name": "event.outcome",
"type": "keyword"
},
{
"ecs": true,
"name": "event.provider",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b",
"setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
"severity": "low",
"tags": [
"Domain: Cloud",
"Data Source: Microsoft 365",
"Use Case: Configuration Audit",
"Tactic: Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 103
},
"id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103",
"type": "security-rule"
}