PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1536) hide show

nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml ADDED Viewed

@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2022/01/13"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/30"
+[rule]
+author = ["Elastic"]
+description = """
+Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified
+mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some
+authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a
+large number of mailbox audit log entries and may not be of interest to your organization. Because of this,
+administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged.
+Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by
+the account.
+"""
+false_positives = ["Legitimate allowlisting of noisy accounts"]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "O365 Mailbox Audit Logging Bypass"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating O365 Mailbox Audit Logging Bypass
+In Microsoft 365 environments, mailbox audit logging is crucial for tracking user activities like accessing or deleting emails. However, administrators can exempt certain accounts from logging to reduce noise, which attackers might exploit to hide their actions. The detection rule identifies successful attempts to create such exemptions, signaling potential misuse of this bypass mechanism.
+### Possible investigation steps
+- Review the event logs for entries with event.dataset set to o365.audit and event.provider set to Exchange to confirm the presence of the Set-MailboxAuditBypassAssociation action.
+- Identify the account associated with the event.action Set-MailboxAuditBypassAssociation and verify if it is a known and authorized account for creating audit bypass associations.
+- Check the event.outcome field to ensure the action was successful and determine if there are any other related unsuccessful attempts that might indicate trial and error by an attacker.
+- Investigate the history of the account involved in the bypass association to identify any unusual or suspicious activities, such as recent changes in permissions or unexpected login locations.
+- Cross-reference the account with any known third-party tools or lawful monitoring accounts to determine if the bypass is legitimate or potentially malicious.
+- Assess the risk and impact of the bypass by evaluating the types of activities that would no longer be logged for the account in question, considering the organization's security policies and compliance requirements.
+### False positive analysis
+- Authorized third-party tools may generate a high volume of mailbox audit log entries, leading to bypass associations being set. Review and document these tools to ensure they are legitimate and necessary for business operations.
+- Accounts used for lawful monitoring might be exempted from logging to reduce noise. Verify that these accounts are properly documented and that their activities align with organizational policies.
+- Regularly review the list of accounts with bypass associations to ensure that only necessary and approved accounts are included. Remove any accounts that no longer require exemptions.
+- Implement a process for periodically auditing bypass associations to detect any unauthorized changes or additions, ensuring that only intended accounts are exempted from logging.
+- Consider setting up alerts for any new bypass associations to quickly identify and investigate potential misuse or unauthorized changes.
+### Response and remediation
+- Immediately isolate the account associated with the successful Set-MailboxAuditBypassAssociation event to prevent further unauthorized actions.
+- Review and revoke any unauthorized mailbox audit bypass associations to ensure all relevant activities are logged.
+- Conduct a thorough audit of recent activities performed by the affected account to identify any suspicious or malicious actions that may have been concealed.
+- Reset credentials for the compromised account and any other accounts that may have been affected to prevent further unauthorized access.
+- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
+- Implement additional monitoring for similar bypass attempts to enhance detection capabilities and prevent recurrence.
+- Consider escalating the incident to a higher security tier or external cybersecurity experts if the scope of the breach is extensive or if internal resources are insufficient to handle the threat.
+## Setup
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://twitter.com/misconfig/status/1476144066807140355"]
+risk_score = 47
+rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.008"
+name = "Disable or Modify Cloud Logs"
+reference = "https://attack.mitre.org/techniques/T1562/008/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml ADDED Viewed

@@ -0,0 +1,140 @@
+[metadata]
+creation_date = "2025/05/22"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/05/22"
+[rule]
+author = ["Elastic", "Jamie Lee"]
+description = """
+Identifies when a user creates a new inbox rule in Microsoft 365 that deletes or moves emails containing suspicious
+keywords. Adversaries who have compromised accounts often create inbox rules to hide alerts, security notifications, or
+other sensitive messages by automatically deleting them or moving them to obscure folders. Common destinations include
+Deleted Items, Junk Email, RSS Feeds, and RSS Subscriptions. This is a New Terms rule that triggers only when the user
+principal name and associated source IP address have not been observed performing this activity in the past 14 days.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails"
+note = """## Triage and Analysis
+### Investigating Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
+This detection identifies the creation of potentially malicious inbox rules in Microsoft 365. These rules automatically delete or move emails with specific keywords such as "invoice", "payment", "security", or "phish". Adversaries often use these rules post-compromise to conceal warning emails, alerts from security tools, or responses from help desk teams, thereby evading detection and maintaining access.
+This is a new terms rule that alerts only when the combination of `user.id` and `source.ip` has not performed this activity in the last 14 days.
+### Possible investigation steps
+- Review the `user.id` and `user.email` fields to identify the user account that created the inbox rule.
+- Confirm the rule creation action in `event.action` is `New-InboxRule` and that the `event.outcome` is `success`.
+- Investigate the `o365.audit.Parameters.SubjectContainsWords` field for sensitive or suspicious keywords such as:
+  - `invoice`, `payment`, `reset`, `phish`, `login`, `fraud`, `alert`, etc.
+- Check if the rule performs any of the following:
+  - `MoveToFolder`: suspicious folders like `RSS Feeds`, `Junk Email`, or `Deleted Items`.
+  - `DeleteMessage`: if present, suggests the rule is meant to hide communications.
+- Review the `source.ip` and `source.geo.*` fields to validate whether the IP address and location match expected user behavior.
+- Examine whether the rule was created via a suspicious interface like Exchange Admin or through external automation.
+- Check for recent sign-in anomalies, credential changes, or unusual mailbox activity for the user (e.g., email forwarding, MFA prompts).
+### False positive analysis
+- Some rules may be created by users for legitimate purposes (e.g., moving newsletters).
+- Outlook plugins or automated email management tools could create rules that resemble this behavior.
+- Newly onboarded employees might configure rules for personal filtering without malicious intent.
+### Response and remediation
+- If the rule is determined to be malicious:
+  - Remove the inbox rule immediately.
+  - Review the user’s mailbox for signs of data theft or additional manipulation (e.g., auto-forwarding, altered reply-to addresses).
+  - Investigate surrounding activity such as MFA changes, token refreshes, or admin role assignments.
+  - Revoke tokens and initiate a password reset for the compromised user.
+- If broader compromise is suspected:
+  - Review audit logs for other inbox rule creations across the tenant.
+  - Check whether other users from the same source IP performed similar activity.
+  - Educate the user on safe email handling and rule creation best practices.
+- Strengthen detection:
+  - Enable Microsoft Defender for Office 365 Safe Rules.
+  - Use mailbox auditing and DLP policies to monitor hidden inbox activity.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack",
+    "https://learn.microsoft.com/en-us/defender-xdr/alert-grading-playbook-inbox-manipulation-rules",
+    "https://blog.barracuda.com/2023/09/20/threat-spotlight-attackers-inbox-rules-evade-detection",
+]
+risk_score = 47
+rule_id = "40fe11c2-376e-11f0-9a82-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Domain: Email",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.dataset: "o365.audit" and
+    event.action: "New-InboxRule" and event.outcome: "success" and
+    o365.audit.Parameters.SubjectContainsWords: (
+        *phish* or
+        *hack* or
+        *alert* or
+        *malware* or
+        *security* or
+        *invoice* or
+        *payment* or
+        *wire* or
+        *transfer* or
+        *fraud* or
+        *reset* or
+        *unusual* or
+        *protection* or
+        *login* or
+        *suspicious*
+    ) and (
+    o365.audit.Parameters.DeleteMessage: True or
+    o365.audit.Parameters.MoveToFolder: (
+        *Deleted* or
+        *Junk* or
+        *RSS*
+    )
+)
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.008"
+name = "Email Hiding Rules"
+reference = "https://attack.mitre.org/techniques/T1564/008/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.id", "source.ip"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml ADDED Viewed

@@ -0,0 +1,165 @@
+[metadata]
+creation_date = "2025/05/01"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/26"
+[rule]
+author = ["Elastic"]
+description = """
+Identifies sign-ins on behalf of a principal user to the Microsoft Graph API from multiple IPs using the Microsoft
+Authentication Broker or Visual Studio Code application. This behavior may indicate an adversary using a phished OAuth
+refresh token.
+"""
+from = "now-60m"
+interval = "59m"
+language = "esql"
+license = "Elastic License v2"
+name = "Suspicious Microsoft 365 UserLoggedIn via OAuth Code"
+note = """## Triage and analysis
+### Investigating Suspicious Microsoft 365 UserLoggedIn via OAuth Code
+### Possible Investigation Steps:
+- `o365.audit.UserId`: The identity value the application is acting on behalf of principal user.
+- `unique_ips`: Analyze the list of unique IP addresses used within the 30-minute window. Determine whether these originate from different geographic regions, cloud providers, or anonymizing infrastructure (e.g., Tor or VPNs).
+- `target_time_window`: Use the truncated time window to pivot into raw events to reconstruct the full sequence of resource access events, including exact timestamps and service targets.
+- `azure.auditlogs` to check for device join or registration events around the same timeframe.
+- `azure.identityprotection` to identify correlated risk detections, such as anonymized IP access or token replay.
+- Any additional sign-ins from the `ips` involved, even outside the broker, to determine if tokens have been reused elsewhere.
+### False Positive Analysis
+- Developers or IT administrators working across environments may also produce similar behavior.
+### Response and Remediation
+- If confirmed unauthorized, revoke all refresh tokens for the affected user and remove any devices registered during this session.
+- Notify the user and determine whether the device join or authentication activity was expected.
+- Audit Conditional Access and broker permissions (`29d9ed98-a469-4536-ade2-f981bc1d605e`) to ensure policies enforce strict access controls.
+- Consider blocking token-based reauthentication to Microsoft Graph and DRS from suspicious locations or user agents.
+- Continue monitoring for follow-on activity like lateral movement or privilege escalation.
+"""
+references = [
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+    "https://github.com/dirkjanm/ROADtools",
+    "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",
+]
+risk_score = 73
+rule_id = "36188365-f88f-4f70-8c1d-0b9554186b9c"
+setup = """## Setup
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+"""
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: Email",
+    "Domain: Identity",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Defense Evasion",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from logs-o365.audit-*
+| where
+    event.dataset == "o365.audit" and
+    event.action == "UserLoggedIn" and
+    source.ip is not null and
+    o365.audit.UserId is not null and
+    o365.audit.ApplicationId is not null and
+    o365.audit.UserType in ("0", "2", "3", "10") and
+    o365.audit.ApplicationId in ("aebc6443-996d-45c2-90f0-388ff96faa56", "29d9ed98-a469-4536-ade2-f981bc1d605e") and
+    o365.audit.ObjectId in ("00000003-0000-0000-c000-000000000000")
+| eval
+    Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),
+    Esql.oauth_authorize_user_id_case = case(
+        o365.audit.ExtendedProperties.RequestType == "OAuth2:Authorize" and o365.audit.ExtendedProperties.ResultStatusDetail == "Redirect",
+        o365.audit.UserId,
+        null
+    ),
+    Esql.oauth_token_user_id_case = case(
+        o365.audit.ExtendedProperties.RequestType == "OAuth2:Token",
+        o365.audit.UserId,
+        null
+    )
+| stats
+    Esql.source_ip_count_distinct = count_distinct(source.ip),
+    Esql.source_ip_values = values(source.ip),
+    Esql.o365_audit_ApplicationId_values = values(o365.audit.ApplicationId),
+    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
+    Esql.oauth_token_count_distinct = count_distinct(Esql.oauth_token_user_id_case),
+    Esql.oauth_authorize_count_distinct = count_distinct(Esql.oauth_authorize_user_id_case)
+  by
+    o365.audit.UserId,
+    Esql.time_window_date_trunc,
+    o365.audit.ApplicationId,
+    o365.audit.ObjectId
+| keep
+    Esql.time_window_date_trunc,
+    Esql.source_ip_values,
+    Esql.source_ip_count_distinct,
+    Esql.o365_audit_ApplicationId_values,
+    Esql.source_as_organization_name_values,
+    Esql.oauth_token_count_distinct,
+    Esql.oauth_authorize_count_distinct
+| where
+    Esql.source_ip_count_distinct >= 2 and
+    Esql.oauth_token_count_distinct > 0 and
+    Esql.oauth_authorize_count_distinct > 0
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1528"
+name = "Steal Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1528/"
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+[[rule.threat.technique.subtechnique]]
+id = "T1566.002"
+name = "Spearphishing Link"
+reference = "https://attack.mitre.org/techniques/T1566/002/"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"

nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_custom_app_interaction_allowed.toml ADDED Viewed

@@ -0,0 +1,93 @@
+[metadata]
+creation_date = "2020/11/30"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/30"
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than
+those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may
+abuse this behavior to establish persistence in an environment.
+"""
+false_positives = [
+    """
+    Custom applications may be allowed by a system or network administrator. Verify that the configuration change was
+    expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Teams Custom Application Interaction Allowed"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Microsoft 365 Teams Custom Application Interaction Allowed
+Microsoft Teams allows organizations to enhance functionality by integrating custom applications, which can be developed and uploaded beyond the standard app store offerings. While beneficial for tailored solutions, this capability can be exploited by adversaries to maintain unauthorized access. The detection rule monitors changes in tenant settings that permit custom app interactions, flagging successful modifications as potential persistence threats.
+### Possible investigation steps
+- Review the audit logs for the specific event.action: TeamsTenantSettingChanged to identify when the change was made and by whom.
+- Verify the identity of the user or account associated with the event to determine if the change was authorized or if the account may have been compromised.
+- Check the o365.audit.Name field for "Allow sideloading and interaction of custom apps" to confirm that the alert corresponds to enabling custom app interactions.
+- Investigate the o365.audit.NewValue field to ensure it is set to True, indicating that the setting was indeed changed to allow custom apps.
+- Assess the event.outcome field to confirm the change was successful and not a failed attempt, which could indicate a different type of issue.
+- Examine any recent custom applications uploaded to Microsoft Teams to ensure they are legitimate and not potentially malicious.
+- Cross-reference with other security alerts or logs to identify any unusual activity around the time of the setting change that might suggest malicious intent.
+### False positive analysis
+- Routine administrative changes to Microsoft Teams settings can trigger this rule. If a known and authorized administrator frequently updates tenant settings to allow custom apps, consider creating an exception for their user account to reduce noise.
+- Organizations that regularly develop and deploy custom applications for internal use may see frequent alerts. In such cases, establish a process to document and approve these changes, and use this documentation to create exceptions for specific application deployment activities.
+- Scheduled updates or maintenance activities that involve enabling custom app interactions might be misidentified as threats. Coordinate with IT teams to schedule these activities and temporarily adjust monitoring rules to prevent false positives during these periods.
+- If a third-party service provider is authorized to manage Teams settings, their actions might trigger alerts. Verify their activities and, if consistent and legitimate, add their actions to an exception list to prevent unnecessary alerts.
+- Changes made during a known testing or development phase can be mistaken for unauthorized access. Clearly define and communicate these phases to the security team, and consider temporary rule adjustments to accommodate expected changes.
+### Response and remediation
+- Immediately disable the custom application interaction setting in Microsoft Teams to prevent further unauthorized access or persistence by adversaries.
+- Conduct a thorough review of all custom applications currently uploaded to Microsoft Teams to identify any unauthorized or suspicious applications. Remove any that are not recognized or approved by the organization.
+- Analyze the audit logs for any recent changes to the Teams settings and identify the user account responsible for enabling custom application interactions. Investigate the account for signs of compromise or misuse.
+- Reset the credentials and enforce multi-factor authentication for the account(s) involved in the unauthorized change to prevent further unauthorized access.
+- Notify the security team and relevant stakeholders about the incident and the actions taken. Escalate to higher management if the breach is suspected to have wider implications.
+- Implement additional monitoring and alerting for changes to Microsoft Teams settings to quickly detect and respond to similar threats in the future.
+- Review and update the organization's security policies and procedures regarding the use of custom applications in Microsoft Teams to ensure they align with best practices and mitigate the risk of similar incidents.
+## Setup
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"]
+risk_score = 47
+rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+event.dataset:o365.audit and event.provider:MicrosoftTeams and
+event.category:web and event.action:TeamsTenantSettingChanged and
+o365.audit.Name:"Allow sideloading and interaction of custom apps" and
+o365.audit.NewValue:True and event.outcome:success
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

nldcsc_elastic_rules/rules/integrations/o365/defense_evasion_microsoft_365_teams_external_access_enabled.toml ADDED Viewed

@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2020/11/30"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/30"
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users
+communicate with other users that are outside their organization. An adversary may enable external access or add an
+allowed domain to exfiltrate data or maintain persistence in an environment.
+"""
+false_positives = [
+    """
+    Teams external access may be enabled by a system or network administrator. Verify that the configuration change was
+    expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Teams External Access Enabled"
+note = """## Triage and analysis
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Microsoft 365 Teams External Access Enabled
+Microsoft Teams' external access feature allows users to communicate with individuals outside their organization, facilitating collaboration. However, adversaries can exploit this by enabling external access or adding trusted domains to exfiltrate data or maintain persistence. The detection rule monitors audit logs for changes in federation settings, specifically when external access is successfully enabled, indicating potential misuse.
+### Possible investigation steps
+- Review the audit logs for the specific event.action "Set-CsTenantFederationConfiguration" to identify when and by whom the external access was enabled.
+- Examine the o365.audit.Parameters.AllowFederatedUsers field to confirm that it is set to True, indicating that external access was indeed enabled.
+- Investigate the user account associated with the event to determine if the action was authorized and if the account has a history of suspicious activity.
+- Check the event.provider field to see if the change was made through SkypeForBusiness or MicrosoftTeams, which may provide additional context on the method used.
+- Assess the event.outcome field to ensure the action was successful and not a failed attempt, which could indicate a potential security threat.
+- Look into any recent changes in the list of allowed domains to identify if any unauthorized or suspicious domains have been added.
+### False positive analysis
+- Routine administrative changes to federation settings can trigger alerts. Regularly review and document these changes to differentiate between legitimate and suspicious activities.
+- Organizations with frequent collaboration with external partners may see increased alerts. Consider creating exceptions for known trusted domains to reduce noise.
+- Scheduled updates or policy changes by IT teams might enable external access temporarily. Coordinate with IT to log these activities and exclude them from triggering alerts.
+- Automated scripts or tools used for configuration management can inadvertently enable external access. Ensure these tools are properly documented and monitored to prevent false positives.
+- Changes made during mergers or acquisitions can appear suspicious. Maintain a record of such events and adjust monitoring rules accordingly to account for expected changes.
+### Response and remediation
+- Immediately disable external access in Microsoft Teams to prevent further unauthorized communication with external domains.
+- Review and remove any unauthorized or suspicious domains added to the allowed list in the Teams federation settings.
+- Conduct a thorough audit of recent changes in the Teams configuration to identify any other unauthorized modifications or suspicious activities.
+- Reset credentials and enforce multi-factor authentication for accounts involved in the configuration change to prevent further unauthorized access.
+- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
+- Escalate the incident to the incident response team if there is evidence of data exfiltration or if the scope of the breach is unclear.
+- Implement enhanced monitoring and alerting for changes in Teams federation settings to detect similar threats in the future.
+## Setup
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"]
+risk_score = 47
+rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and
+event.category:web and event.action:"Set-CsTenantFederationConfiguration" and
+o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success
+'''
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"