forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_microsoft_365_mailboxauditbypassassociation.toml
57 lines (48 loc) · 2.09 KB
/
defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[metadata]
creation_date = "2022/01/13"
integration = ["o365"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified
mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some
authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a
large number of mailbox audit log entries and may not be of interest to your organization. Because of this,
administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged.
Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
the account.
"""
false_positives = ["Legitimate allowlisting of noisy accounts"]
from = "now-30m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "O365 Mailbox Audit Logging Bypass"
note = """## Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://twitter.com/misconfig/status/1476144066807140355"]
risk_score = 47
rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"