nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml

@@ -0,0 +1,101 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a
+large number of processes remotely on other machines can be an indicator of lateral movement activity.
+"""
+from = "now-12h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_sum_rdp_number_of_processes"
+name = "Spike in Number of Processes in an RDP Session"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Spike in Number of Processes in an RDP Session
+
+Remote Desktop Protocol (RDP) allows users to connect to other computers over a network, facilitating remote work and administration. However, adversaries can exploit RDP for lateral movement by executing numerous processes on a target machine. The detection rule leverages machine learning to identify anomalies in process activity during RDP sessions, flagging potential exploitation attempts indicative of lateral movement tactics.
+
+### Possible investigation steps
+
+- Review the specific RDP session details, including the source and destination IP addresses, to identify the involved machines and users.
+- Analyze the list of processes that were started during the RDP session to identify any unusual or suspicious processes that are not typically associated with legitimate remote work activities.
+- Check the user account associated with the RDP session for any signs of compromise, such as recent password changes or unusual login times.
+- Correlate the detected spike in processes with other security events or logs, such as firewall logs or intrusion detection system alerts, to identify any related suspicious activities.
+- Investigate the network traffic between the source and destination machines during the RDP session to detect any anomalies or unauthorized data transfers.
+- Review historical data for the involved user and machines to determine if similar spikes in process activity have occurred in the past, which could indicate a pattern of malicious behavior.
+
+### False positive analysis
+
+- High-volume automated tasks or scripts executed during RDP sessions can trigger false positives. Identify and document these tasks, then create exceptions in the detection rule to exclude them from analysis.
+- Routine administrative activities, such as software updates or system maintenance, may result in a spike in processes. Regularly review and whitelist these activities to prevent unnecessary alerts.
+- Scheduled batch jobs or data processing tasks that run during RDP sessions can be mistaken for lateral movement. Ensure these are logged and excluded from the rule's scope by setting up appropriate filters.
+- Development or testing environments where multiple processes are frequently started as part of normal operations can lead to false positives. Clearly define these environments and adjust the rule to ignore such sessions.
+
+### Response and remediation
+
+- Isolate the affected machine from the network to prevent further lateral movement and contain the threat.
+- Terminate any suspicious or unauthorized processes identified during the RDP session to halt potential malicious activity.
+- Conduct a thorough review of the affected machine's security logs to identify any additional indicators of compromise or related suspicious activity.
+- Reset credentials for any accounts that were used during the suspicious RDP session to prevent unauthorized access.
+- Apply security patches and updates to the affected machine and any other vulnerable systems to mitigate exploitation of known vulnerabilities.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
+- Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml

@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral
+movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
+valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network,
+to evade detection.
+"""
+from = "now-90m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_count_remote_file_transfer"
+name = "Spike in Remote File Transfers"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Spike in Remote File Transfers
+
+Remote file transfer technologies facilitate data sharing across networks, essential for collaboration and operations. However, adversaries exploit these to move laterally within a network, often transferring data stealthily to avoid detection. The 'Spike in Remote File Transfers' detection rule leverages machine learning to identify unusual transfer volumes, signaling potential malicious activity by comparing against established network baselines.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific host and time frame associated with the abnormal file transfer activity.
+- Analyze network logs and remote file transfer logs to determine the source and destination of the transfers, focusing on any unusual or unauthorized endpoints.
+- Cross-reference the identified host with known assets and user accounts to verify if the activity aligns with expected behavior or if it involves unauthorized access.
+- Investigate any associated user accounts for signs of compromise, such as unusual login times or locations, by reviewing authentication logs.
+- Check for any recent changes or anomalies in the network baseline that could explain the spike in file transfers, such as new software deployments or legitimate large data migrations.
+- Correlate the detected activity with other security alerts or incidents to identify potential patterns or coordinated attacks within the network.
+
+### False positive analysis
+
+- Regularly scheduled data backups or synchronization tasks can trigger false positives. Identify these tasks and create exceptions to prevent them from being flagged.
+- Automated software updates or patch management systems may cause spikes in file transfers. Exclude these systems from the rule to reduce false alerts.
+- Internal data sharing between departments for legitimate business purposes might be misidentified. Establish a baseline for these activities and adjust the detection thresholds accordingly.
+- High-volume data transfers during specific business operations, such as end-of-month reporting, can be mistaken for malicious activity. Temporarily adjust the rule settings during these periods to accommodate expected increases in transfer volumes.
+- Frequent file transfers from trusted external partners or vendors should be monitored and, if consistently benign, added to an allowlist to minimize unnecessary alerts.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent further lateral movement and potential data exfiltration. Disconnect it from the network to contain the threat.
+- Conduct a thorough analysis of the transferred files to determine if sensitive data was involved and assess the potential impact of the data exposure.
+- Review and terminate any unauthorized remote access sessions or services on the affected host to prevent further exploitation.
+- Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access.
+- Apply security patches and updates to the affected systems to address any vulnerabilities that may have been exploited by the attackers.
+- Monitor network traffic for any additional unusual remote file transfer activities, using enhanced logging and alerting to detect similar threats in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual
+time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger
+attack.
+"""
+from = "now-12h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start"
+name = "Unusual Time or Day for an RDP Session"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Time or Day for an RDP Session
+
+Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT management but also a target for adversaries seeking unauthorized access. Attackers exploit RDP by initiating sessions at odd hours to avoid detection. The detection rule leverages machine learning to identify atypical RDP session timings, flagging potential lateral movement attempts for further investigation.
+
+### Possible investigation steps
+
+- Review the timestamp of the RDP session to determine the specific unusual time or day it was initiated, and correlate it with known business hours or scheduled maintenance windows.
+- Identify the source and destination IP addresses involved in the RDP session to determine if they are internal or external, and check for any known associations with previous security incidents.
+- Examine the user account used to initiate the RDP session, verifying if it is a legitimate account and if the login aligns with the user's typical behavior or role within the organization.
+- Check for any additional suspicious activities or alerts involving the same user account or IP addresses around the time of the unusual RDP session, such as failed login attempts or access to sensitive files.
+- Investigate any recent changes or anomalies in the network or system configurations that could have facilitated the unusual RDP session, such as newly opened ports or modified firewall rules.
+- Consult logs from other security tools or systems, such as SIEM or endpoint detection and response (EDR) solutions, to gather more context on the RDP session and any related activities.
+
+### False positive analysis
+
+- Regular maintenance activities by IT staff during off-hours can trigger false positives. Identify and document these activities to create exceptions in the detection rule.
+- Scheduled automated tasks or scripts that initiate RDP sessions at unusual times may be misclassified. Review and whitelist these tasks to prevent unnecessary alerts.
+- Time zone differences for remote employees accessing systems outside of standard business hours can lead to false positives. Adjust detection parameters to account for these time zone variations.
+- Third-party vendors or contractors who require access at non-standard times should be documented and their access patterns reviewed to establish exceptions.
+- Emergency access situations where IT staff need to respond to critical incidents outside normal hours should be logged and considered when analyzing alerts.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
+- Terminate the suspicious RDP session to halt any ongoing unauthorized activities.
+- Conduct a thorough review of the affected system's logs and processes to identify any malicious activities or changes made during the session.
+- Reset credentials for any accounts accessed during the unusual RDP session to prevent further unauthorized use.
+- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
+- Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml

@@ -0,0 +1,146 @@
+[metadata]
+creation_date = "2025/06/17"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/06/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or
+throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses
+mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive
+mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a
+target's mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
+"""
+false_positives = [
+    """
+    Legitimate users may access a large number of mailbox items in a short period, especially in environments with high
+    email volume or during data migrations. If this is expected behavior, consider adjusting the rule or adding
+    exceptions for specific users or groups.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Excessive Microsoft 365 Mailbox Items Accessed"
+note = """## Triage and analysis
+
+### Investigating Excessive Microsoft 365 Mailbox Items Accessed
+
+Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a target's mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
+
+### Possible investigation steps
+- Review `host.name` to identify the tenant where the mailbox access occurred.
+- Review `o365.audit.UserId` or `o365.audit.MailboxOwnerUPN` to identify the user associated with the mailbox access.
+- Examine `o365.audit.ExternalAccess` to determine if the mailbox access was performed by an external user or application.
+- Check the geolocation data to identify the location from which the mailbox access occurred. Is this an expected location for the user?
+- Check `o365.audit.ClientAppId` to identify the application used for mailbox access. Look for any unusual or unexpected applications but be aware that some legitimate applications may also trigger this rule if OAuth phishing was used.
+- Review `o365.audit.Folders.Path` and `o365.audit.Folders.FolderItems.Id` to identify the specific folders and items accessed within the mailbox. Look for any sensitive or high-value folders that may indicate targeted access.
+- For specific items accessed, examine `o365.audit.Folders.FolderItems.Id` to gather more context on the accessed mailbox items.
+- User types can be identified by checking `o365.audit.UserType`. Review if the mailbox of the user is a member, admin or delegate.
+- If Entra ID logs are available, checking the risk status via `azure.signinlogs.properties.risk_state` and `azure.signinlogs.properties.risk_level` can provide additional context on the user's risk status during the mailbox access.
+
+### False positive analysis
+- Legitimate users may access a large number of mailbox items in a short period, especially in environments with high email volume or during data migrations. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.
+- Automated processes or scripts that access mailbox items may also trigger this rule. If these processes are legitimate and necessary, consider adding exceptions for the specific applications or users involved.
+- Users with high email activity, such as helpdesk or support roles, may trigger this rule due to their job responsibilities. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.
+
+### Response and remediation
+- Investigate the user account associated with the excessive mailbox access to determine if it has been compromised or if the activity is expected behavior.
+- If the mailbox access is confirmed to be suspicious or unauthorized, take immediate action to revoke the access token and prevent further access.
+- Disable the user account temporarily to prevent any potential compromise or unauthorized access.
+- Review the user's recent sign-in activity and access patterns to identify any potential compromise or unauthorized access.
+- If the user account is compromised, initiate a password reset and enforce multi-factor authentication (MFA) for the user.
+- Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access to sensitive resources.
+- Examine how the mailbox access was performed. If it was done via a third-party application, review the permissions granted to that application and consider revoking them if they are not necessary.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts#use-mailitemsaccessed-audit-records-for-forensic-investigations",
+    "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
+]
+risk_score = 47
+rule_id = "7fc95782-4bd1-11f0-9838-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Email",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Collection",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "o365.audit" and
+    event.provider: "Exchange" and
+    event.action: "MailItemsAccessed" and
+    event.code: "ExchangeItemAggregated" and
+    (
+        (
+            o365.audit.OperationProperties.Name: "IsThrottled" and
+            o365.audit.OperationProperties.Value: "True"
+        ) or o365.audit.OperationCount >= 100
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+[[rule.threat.technique.subtechnique]]
+id = "T1114.002"
+name = "Remote Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "user.id",
+    "user.name",
+    "user.email",
+    "user.domain",
+    "event.id",
+    "event.action",
+    "event.outcome",
+    "event.provider",
+    "source.ip",
+    "related.ip",
+    "related.user",
+    "o365.audit.ClientAppId",
+    "o365.audit.AppId",
+    "o365.audit.AppAccessContext.UniqueTokenId",
+    "o365.audit.OperationCount",
+    "o365.audit.MailboxOwnerUPN",
+    "o365.audit.MailboxOwnerSid",
+    "o365.audit.MailboxGuid",
+    "o365.audit.UserKey",
+    "o365.audit.LogonUserSid",
+    "o365.audit.TokenTenantId",
+    "o365.audit.OriginatingServer",
+    "o365.audit.ClientInfoString",
+    "o365.audit.CreationTime",
+    "o365.audit.ResultStatus",
+    "source.geo.country_iso_code",
+    "source.geo.country_name",
+    "source.geo.continent_name",
+    "source.geo.location",
+    "cloud.account.id",
+    "cloud.provider",
+    "cloud.region",
+    "cloud.service.name",
+]
+