[New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 #4994
+62
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| [metadata] | ||
| creation_date = "2025/08/19" | ||
| integration = ["o365"] | ||
| maturity = "production" | ||
| promotion = true | ||
| updated_date = "2025/08/19" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365. | ||
| Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is | ||
| misclassified as a threat. | ||
| """, | ||
| ] | ||
| from = "now-9m" | ||
| index = ["filebeat-*", "logs-o365.audit-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| max_signals = 1000 | ||
| name = "Threat Intelligence Signal - Microsoft Defender for Office 365" | ||
| note = "For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).\n" | ||
| references = [ | ||
| "https://learn.microsoft.com/en-us/purview/audit-supported-services", | ||
| "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365", | ||
| "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: SaaS", | ||
| "Data Source: Microsoft 365", | ||
| "Data Source: Microsoft 365 Audit Logs", | ||
| "Use Case: Threat Detection", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| event.dataset: "o365.audit" and event.code: "ThreatIntelligence" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1566" | ||
| name = "Phishing" | ||
| reference = "https://attack.mitre.org/techniques/T1566/" | ||
|
Comment on lines
+50
to
+55
There was a problem hiding this comment. Is this true for all generated signals? There was a problem hiding this comment. |
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to adjust this event in the integrations to gave
event.kindset toalert, so we automatically push an alert for it using the default promotion rule?Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question. Honestly I do not see why not other than keeping them separate for our visibility. Checking telemetry, I see we have several promotions for compliance related alerts. Based on docs from MSFT, this seems to be a good fit for adjusting
event.kindtoalert. The only other consideration is max signals for external alerts and potentially missing these if the threshold is hit because of compliance related alerts that are noisy. I'd rather keep separate as a rule.