In-Progress

2024-11-07 01:45:21 +00:00 · 2021-08-23 18:55:29 +00:00 · 2021-08-23 18:55:29 +00:00 · 41786a1b63
commit 41786a1b63
parent 1834324a16
6 changed files with 144 additions and 0 deletions
--- a/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
+++ b/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - Activity performed by terminated user
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity performed by terminated user"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1537
--- a/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml
+++ b/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - Activity from infrequent country
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from infrequent country"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.initial_access
+    - 
--- a/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml
+++ b/rules/cloud/m365/microsoft365_activity_from_ip_addresses.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - Activity from anonymous IP addresses
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from anonymous IP addresses"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.initial_access
+    - 
--- a/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml
+++ b/rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - Activity from suspicious IP addresses
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from suspicious IP addresses"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.initial_access
+    - 
--- a/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
+++ b/rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - 
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/22
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Suspicious inbox forwarding"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.initial_access
+    - 
--- a/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml
+++ b/rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml
@ -0,0 +1,24 @@
+title: Microsoft 365 - 
+id: 
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported 
+author: Austin Songer @austinsonger
+date: 2021/08/22
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: 
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Suspicious OAuth app file download activities"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.initial_access
+    -