fixing yamls

detections/cloud/o365_advanced_audit_disabled.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies instances where the O365 advanced audit is disabled for a specific user within the Office 365 tenant. It leverages O365 audit logs, specifically events related to audit license changes or modifications within the AzureActiveDirectory workloads. The O365 advanced audit provides granular logging and insights into user and administrator activities, making it a crucial tool for security monitoring and incident response. Disabling this audit for a user can blind security teams to potential malicious or unauthorized activities related to that user's mailbox or account. Attackers may disable these audits to obscure their actions and reduce the chances of detection. If an attacker successfully disables the O365 advanced audit for a user, they can operate within that user's mailbox or account with reduced risk of detection. This can lead to unauthorized data access, data exfiltration, account compromise, or other malicious activities without leaving a detailed audit trail.
-search: >
+search: >-
   `o365_management_activity` Operation="Change user license." 
   | eval property_name = mvindex ('ExtendedProperties{}.Name', 1)
   | search property_name = "extendedAuditEventCategory"

detections/cloud/o365_application_registration_owner_added.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies instances where a new owner is assigned to an application registration within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in owner assignments within the AzureActiveDirectory workload for application registrations. Assigning a new owner to an application registration can grant significant control over the application's configuration, permissions, and behavior. An unauthorized or inadvertent change in ownership can lead to misuse of the application, potentially affecting data access, user permissions, or the application's interactions within the tenant. Monitoring for such changes ensures that only legitimate and authorized personnel have control over application registrations. If an attacker successfully assigns themselves or a compromised account as an owner to an application registration, they can modify the application's settings, permissions, and behavior. This can lead to unauthorized data access, escalation of privileges, or the introduction of malicious behavior within the application's operations
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application."
   | eval app_id=mvindex('ModifiedProperties{}.NewValue', 0)
   | eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1)

detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: This analytic detects when the "risk-based step-up consent" security setting in Microsoft 365 is disabled. This setting, when enabled, prevents regular users from granting consent to potentially malicious OAuth applications, requiring an administrative "step-up" for consent instead. Disabling this feature could expose the organization to OAuth phishing threats.The detection operates by monitoring Azure Active Directory logs for events where the "Update authorization policy" operation is performed. It specifically looks for changes to the "AllowUserConsentForRiskyApps" setting, identifying instances where this setting is switched to "true," effectively disabling the risk-based step-up consent. Monitoring for changes to critical security settings like the "risk-based step-up consent" is vital for maintaining the integrity of an organization's security posture. Disabling this feature can make the environment more susceptible to OAuth phishing attacks, where attackers trick users into granting permissions to malicious applications. Identifying when this setting is disabled can help blue teams to quickly respond, investigate, and potentially uncover targeted phishing campaigns against their users. If an attacker successfully disables the "risk-based step-up consent" and subsequently launches an OAuth phishing campaign, they could gain unauthorized access to user data and other sensitive information within the M365 environment. This could lead to data breaches, unauthorized access to emails, and potentially further compromise within the organization.
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation="Update authorization policy."
   | eval index_number = if(mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps") >= 0, mvfind('ModifiedProperties{}.Name', "AllowUserConsentForRiskyApps"), -1)
   | search index_number >= 0 

detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: This analytic identifies instances where a user in the Office 365 environment grants consent to an application that requests file permissions, specifically targeting OneDrive or SharePoint. Such permissions mean the application could potentially access, modify, or delete files stored within these services. The detection process leverages O365 audit logs, particularly focusing on events related to OAuth application consents. By examining these logs, the analytic is designed to capture and alert on any actions where users grant consent to applications requesting file-related permissions for OneDrive or SharePoint. The sensitivity of file permissions, especially in platforms as widely utilized as OneDrive and SharePoint, cannot be overstated. While many legitimate applications might require such permissions to operate, there's an inherent risk with malicious or overly permissive applications. Attackers could craft or exploit applications to gain file permissions, aiming to access, exfiltrate, or manipulate sensitive data housed in OneDrive or SharePoint. It's crucial for security operations centers to monitor these consents to ensure that only trustworthy applications gain access and that users aren't inadvertently granting permissions to potentially harmful applications. If this detection flags a true positive, it indicates that an application has been granted permissions that could allow it to interact with OneDrive or SharePoint files in potentially malicious ways. Such actions could lead to data breaches, data loss, or unauthorized data manipulation. Immediate investigation would be required to validate the application's legitimacy, understand the nature of its requested permissions, and assess the potential risks associated with the access it's been granted.
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success
   | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0)
   | search admin_consent=False

detections/cloud/o365_high_privilege_role_granted.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: This analytic detects when high-privilege roles, specifically "Exchange Administrator", "SharePoint Administrator", or "Global Administrator", are granted within Office 365. By monitoring O365 audit logs for events where these administrative roles are assigned to any user or service account, the analytic provides insight into critical role changes. The assignment of these roles is of paramount importance to Security Operations Centers (SOCs) as they grant extensive permissions, allowing for broad access and control over critical organizational resources and data. An unexpected or unauthorized role assignment could indicate potential malicious activity, insider threats, or misconfigurations. If an attacker or unauthorized individual is granted one of these roles, the potential impact includes gaining significant control over O365 resources, accessing, modifying, or deleting critical data, making configuration changes, and potentially compromising the overall security and functionality of the O365 environment.
-search: >
+search: >-
   `o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory
   | eval role_id = mvindex('ModifiedProperties{}.NewValue',2)
   | eval role_name = mvindex('ModifiedProperties{}.NewValue',1)
@@ -29,7 +29,7 @@ tags:
   asset_type: Office 365 tenant
   confidence: 60
   impact: 80
-  message: $User_Id$ granted high privilege roles to $Object_Id$
+  message: $UserId$ granted high privilege roles to $ObjectId$
   mitre_attack_id:
   - T1098
   - T1098.003

detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies instances where a user grants consent to an application that requests mail related permissions within the Office 365 environment. This could involve permissions to read, send, or manage mail settings. It leverages the O365 audit logs, specifically events related to application permissions and user consent actions. By filtering for mail-related permissions and user-granted consents, the analytic pinpoints potential security concerns. While many legitimate applications request mail permissions for valid reasons, malicious actors can exploit these permissions for data exfiltration, spear phishing, or other malicious activities. By monitoring for user-granted mail permissions, security teams can identify and review potentially risky consents, ensuring that only trusted applications have access to sensitive email data. If the detection is a true positive, it indicates that an application now has access to the users mail data as permitted. In the hands of a malicious actor, this could lead to unauthorized data access, email forwarding, or even the sending of malicious emails from the compromised account. Its crucial to validate the legitimacy of the application and the context of the consent to prevent potential data breaches or further malicious activities.
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Success
   | eval admin_consent =mvindex('ModifiedProperties{}.NewValue', 0)
   | search admin_consent=False

detections/cloud/o365_mailbox_read_access_granted_to_application.yml

@@ -13,7 +13,7 @@ description: The following analytic identifies instances where the Mail.Read Gra
  access and that any inadvertent or malicious assignments are promptly identified.
  If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to
  data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
-search: >
+search: >-
   `o365_management_activity` Operation="Update application."
   | eval json_data=mvindex('ModifiedProperties{}.NewValue', 0)
   | eval json_data=replace(json_data, "^\[\s*", "")

detections/cloud/o365_new_mfa_method_registered.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: This analytic detects the registration of a new Multi-Factor Authentication (MFA) method associated with a user account within Office 365 by monitoring O365 audit logs and configurations. While adding a new MFA method can be a routine and legitimate action, it can also be indicative of an attacker's attempt to maintain persistence on a compromised account. By registering a new MFA method, attackers can potentially bypass existing security measures, allowing them to authenticate using stolen credentials without raising alarms. Monitoring for such changes is crucial, especially if the addition is not preceded by a user request or if it deviates from typical user behavior. If an attacker successfully registers a new MFA method on a compromised account, they can solidify their access, making it harder for legitimate users to regain control. The attacker can then operate with the privileges of the compromised account, potentially accessing sensitive data, making unauthorized changes, or even escalating their privileges further. Immediate action would be required to verify the legitimacy of the MFA change and, if malicious, to remediate and secure the affected account.
-search: > 
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory  Operation="Update user." 
   | eval propertyName = mvindex('ModifiedProperties{}.Name', 0)
   | search propertyName = StrongAuthenticationMethod

detections/cloud/o365_tenant_wide_admin_consent_granted.yml

@@ -7,8 +7,8 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies instances where admin consent is granted to an application within an Azure AD and Office 365 tenant. It leverages O365 audit logs, specifically events related to the admin consent action within the AzureActiveDirectory workload. The admin consent action allows applications to access data across the entire tenant, potentially encompassing a vast amount of organizational data. Given its broad scope and the sensitivity of some permissions that can only be granted via admin consent, it's crucial to monitor this action. Unauthorized or inadvertent granting of admin consent can lead to significant security risks, including data breaches, unauthorized data access, and potential compliance violations. If an attacker successfully tricks an administrator into granting admin consent to a malicious or compromised application, they can gain extensive and persistent access to organizational data. This can lead to data exfiltration, espionage, further malicious activities within the tenant, and potential breaches of compliance regulations
-search: >
- `o365_management_activity` Operation="Consent to application." 
+search: >-
+  `o365_management_activity` Operation="Consent to application." 
   | eval new_field=mvindex('ModifiedProperties{}.NewValue', 4)
   | rex field=new_field "ConsentType: (?<ConsentType>[^\,]+)"  
   | search  ConsentType = "AllPrincipals"

detections/cloud/o365_user_consent_blocked_for_risky_application.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies instances where Office 365 has blocked a user's attempt to grant consent to an application deemed risky or potentially malicious. This suggests that the application has exhibited behaviors or characteristics that are commonly associated with malicious intent or poses a security risk. This detection leverages the O365 audit logs, specifically focusing on events related to user consent actions and system-driven blocks. By filtering for blocked consent actions associated with applications, the analytic highlights instances where O365's built-in security measures have intervened. Applications that are flagged and blocked by O365 typically exhibit suspicious characteristics or behaviors. Monitoring for these blocked consent attempts helps security teams identify potential threats early on and can provide insights into users who might be targeted or susceptible to such risky applications. It's an essential layer of defense in ensuring that malicious or risky applications don't gain access to organizational data. If the detection is a true positive, it indicates that the built-in security measures of O365 successfully prevented a potentially harmful application from gaining access. However, the attempt itself suggests that either a user might be targeted or that there's a presence of malicious applications trying to infiltrate the organization. Immediate investigation is required to understand the context of the block and to take further preventive measures.
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation="Consent to application." ResultStatus=Failure
   | eval permissions =mvindex('ModifiedProperties{}.NewValue', 4)
   | eval reason =mvindex('ModifiedProperties{}.NewValue', 5)