nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml

@@ -0,0 +1,91 @@
+[metadata]
+creation_date = "2020/11/18"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should
+not be set to forward email to domains outside of your organization. An adversary may create transport rules to
+exfiltrate data.
+"""
+false_positives = [
+    """
+    A new transport rule may be created by a system or network administrator. Verify that the configuration change was
+    expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Exchange Transport Rule Creation"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft 365 Exchange Transport Rule Creation
+
+Microsoft 365 Exchange transport rules automate email handling, applying actions like forwarding or blocking based on conditions. While beneficial for managing communications, adversaries can exploit these rules to redirect emails externally, facilitating data exfiltration. The detection rule monitors successful creation of new transport rules, flagging potential misuse by identifying specific actions and outcomes in audit logs.
+
+### Possible investigation steps
+
+- Review the audit logs for the event.dataset:o365.audit to identify the user account responsible for creating the new transport rule.
+- Examine the event.provider:Exchange and event.category:web fields to confirm the context and source of the rule creation.
+- Investigate the event.action:"New-TransportRule" to understand the specific conditions and actions defined in the newly created transport rule.
+- Check the event.outcome:success to ensure the rule creation was completed successfully and assess if it aligns with expected administrative activities.
+- Analyze the transport rule settings to determine if it includes actions that forward emails to external domains, which could indicate potential data exfiltration.
+- Correlate the findings with other security events or alerts to identify any patterns or anomalies that might suggest malicious intent.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger alerts when IT staff create or modify transport rules for legitimate purposes. To manage this, establish a baseline of expected rule creation activities and exclude these from alerts.
+- Automated systems or third-party applications that integrate with Microsoft 365 might create transport rules as part of their normal operation. Identify these systems and create exceptions for their known actions.
+- Changes in organizational policies or email handling procedures can lead to legitimate rule creations. Document these changes and update the monitoring system to recognize them as non-threatening.
+- Regular audits or compliance checks might involve creating temporary transport rules. Coordinate with audit teams to schedule these activities and temporarily adjust alert thresholds or exclusions during these periods.
+
+### Response and remediation
+
+- Immediately disable the newly created transport rule to prevent further unauthorized email forwarding or data exfiltration.
+- Conduct a thorough review of the audit logs to identify any other suspicious transport rules or related activities that may indicate a broader compromise.
+- Isolate the affected user accounts or systems associated with the creation of the transport rule to prevent further unauthorized access or actions.
+- Reset passwords and enforce multi-factor authentication for the affected accounts to secure access and prevent recurrence.
+- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
+- Escalate the incident to the incident response team if there is evidence of a broader compromise or if sensitive data has been exfiltrated.
+- Implement enhanced monitoring and alerting for transport rule changes to detect and respond to similar threats more effectively in the future.
+
+## Setup
+
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps",
+    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
+]
+risk_score = 47
+rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1537"
+name = "Transfer Data to Cloud Account"
+reference = "https://attack.mitre.org/techniques/T1537/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+

nldcsc_elastic_rules/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml

@@ -0,0 +1,92 @@
+[metadata]
+creation_date = "2020/11/19"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
+rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
+threat may modify a transport rule to exfiltrate data or evade defenses.
+"""
+false_positives = [
+    """
+    A transport rule may be modified by a system or network administrator. Verify that the configuration change was
+    expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Exchange Transport Rule Modification"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft 365 Exchange Transport Rule Modification
+
+Microsoft 365 Exchange transport rules manage email flow by setting conditions and actions for messages. Adversaries may exploit these rules to disable or delete them, facilitating data exfiltration or bypassing security measures. The detection rule monitors audit logs for successful execution of commands that alter these rules, signaling potential misuse and enabling timely investigation.
+
+### Possible investigation steps
+
+- Review the audit logs for the specific event.dataset:o365.audit entries with event.provider:Exchange to confirm the occurrence of the "Remove-TransportRule" or "Disable-TransportRule" actions.
+- Identify the user account associated with the event by examining the user information in the audit logs to determine if the action was performed by an authorized individual or a potential adversary.
+- Check the event.category:web context to understand if the action was performed through a web interface, which might indicate a compromised account or unauthorized access.
+- Investigate the event.outcome:success to ensure that the rule modification was indeed successful and not an attempted action.
+- Correlate the timing of the rule modification with other security events or alerts to identify any concurrent suspicious activities that might suggest a broader attack or data exfiltration attempt.
+- Assess the impact of the rule modification by reviewing the affected transport rules to determine if they were critical for security or compliance, and evaluate the potential risk to the organization.
+
+### False positive analysis
+
+- Routine administrative changes to transport rules by IT staff can trigger alerts. To manage this, maintain a list of authorized personnel and their expected activities, and create exceptions for these users in the monitoring system.
+- Scheduled maintenance or updates to transport rules may result in false positives. Document these activities and adjust the monitoring system to temporarily exclude these events during known maintenance windows.
+- Automated scripts or third-party tools that manage transport rules might cause alerts. Identify these tools and their typical behavior, then configure the monitoring system to recognize and exclude these benign actions.
+- Changes made as part of compliance audits or security assessments can be mistaken for malicious activity. Coordinate with audit teams to log these activities separately and adjust the monitoring system to account for these legitimate changes.
+
+### Response and remediation
+
+- Immediately disable any compromised accounts identified in the audit logs to prevent further unauthorized modifications to transport rules.
+- Revert any unauthorized changes to transport rules by restoring them to their previous configurations using backup data or logs.
+- Conduct a thorough review of all transport rules to ensure no additional unauthorized modifications have been made, and confirm that all rules align with organizational security policies.
+- Implement additional monitoring on the affected accounts and transport rules to detect any further suspicious activities or attempts to modify rules.
+- Escalate the incident to the security operations team for a deeper investigation into potential data exfiltration activities and to assess the scope of the breach.
+- Coordinate with legal and compliance teams to determine if any regulatory reporting is required due to potential data exfiltration.
+- Enhance security measures by enabling multi-factor authentication (MFA) for all administrative accounts and reviewing access permissions to ensure the principle of least privilege is enforced.
+
+## Setup
+
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
+    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
+    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
+]
+risk_score = 47
+rule_id = "272a6484-2663-46db-a532-ef734bf9a796"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1537"
+name = "Transfer Data to Cloud Account"
+reference = "https://attack.mitre.org/techniques/T1537/"
+
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+

nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

@@ -0,0 +1,93 @@
+[metadata]
+creation_date = "2021/07/15"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Austin Songer"]
+description = """
+Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected
+with ransomware.
+"""
+false_positives = [
+    """
+    If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may
+    represent an adverse encryption process.
+    """,
+]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Potential ransomware activity"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft 365 Potential ransomware activity
+
+Microsoft 365's cloud services can be exploited by adversaries to distribute ransomware by uploading infected files. This detection rule leverages Microsoft Cloud App Security to identify suspicious uploads, focusing on successful events flagged as potential ransomware activity. By monitoring specific event datasets and actions, it helps security analysts pinpoint and mitigate ransomware threats, aligning with MITRE ATT&CK's impact tactics.
+
+### Possible investigation steps
+
+- Review the event details in the Microsoft Cloud App Security console to confirm the specific files and user involved in the "Potential ransomware activity" alert.
+- Check the event.dataset field for o365.audit logs to gather additional context about the user's recent activities and any other related events.
+- Investigate the event.provider field to ensure the alert originated from the SecurityComplianceCenter, confirming the source of the detection.
+- Analyze the event.category field to verify that the activity is categorized as web, which may indicate the method of file upload.
+- Assess the user's recent activity history and permissions to determine if the upload was intentional or potentially malicious.
+- Contact the user to verify the legitimacy of the uploaded files and gather any additional context or explanations for the activity.
+- If the files are confirmed or suspected to be malicious, initiate a response plan to contain and remediate any potential ransomware threat, including isolating affected systems and notifying relevant stakeholders.
+
+### False positive analysis
+
+- Legitimate file uploads by trusted users may trigger alerts if the files are mistakenly flagged as ransomware. To manage this, create exceptions for specific users or groups who frequently upload large volumes of files.
+- Automated backup processes that upload encrypted files to the cloud can be misidentified as ransomware activity. Exclude these processes by identifying and whitelisting the associated service accounts or IP addresses.
+- Certain file types or extensions commonly used in business operations might be flagged. Review and adjust the detection rule to exclude these file types if they are consistently identified as false positives.
+- Collaborative tools that sync files across devices may cause multiple uploads that appear suspicious. Monitor and exclude these tools by recognizing their typical behavior patterns and adjusting the rule settings accordingly.
+- Regularly review and update the list of exceptions to ensure that only verified non-threatening activities are excluded, maintaining the balance between security and operational efficiency.
+
+### Response and remediation
+
+- Immediately isolate the affected user account to prevent further uploads and potential spread of ransomware within the cloud environment.
+- Quarantine the uploaded files flagged as potential ransomware to prevent access and further distribution.
+- Conduct a thorough scan of the affected user's devices and cloud storage for additional signs of ransomware or other malicious activity.
+- Notify the security operations team to initiate a deeper investigation into the source and scope of the ransomware activity, leveraging MITRE ATT&CK techniques for guidance.
+- Restore any affected files from secure backups, ensuring that the backups are clean and free from ransomware.
+- Review and update access controls and permissions for the affected user and related accounts to minimize the risk of future incidents.
+- Escalate the incident to senior security management and, if necessary, involve legal or compliance teams to assess any regulatory implications.
+
+## Setup
+
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+"""
+references = [
+    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
+]
+risk_score = 47
+rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1486"
+name = "Data Encrypted for Impact"
+reference = "https://attack.mitre.org/techniques/T1486/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+

nldcsc_elastic_rules/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

@@ -0,0 +1,84 @@
+[metadata]
+creation_date = "2021/07/15"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Austin Songer"]
+description = "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security."
+false_positives = ["Users or System Administrator cleaning out folders."]
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Unusual Volume of File Deletion"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft 365 Unusual Volume of File Deletion
+
+Microsoft 365's cloud environment facilitates file storage and collaboration, but its vast data handling capabilities can be exploited by adversaries for data destruction. Attackers may delete large volumes of files to disrupt operations or cover their tracks. The detection rule leverages audit logs to identify anomalies in file deletion activities, flagging successful, unusual deletion volumes as potential security incidents, thus enabling timely investigation and response.
+
+### Possible investigation steps
+
+- Review the audit logs for the specific user associated with the alert to confirm the volume and context of the file deletions, focusing on entries with event.action:"Unusual volume of file deletion" and event.outcome:success.
+- Correlate the timestamps of the deletion events with other activities in the user's account to identify any suspicious patterns or anomalies, such as unusual login locations or times.
+- Check for any recent changes in user permissions or roles that might explain the ability to delete a large volume of files, ensuring these align with the user's typical responsibilities.
+- Investigate any recent security alerts or incidents involving the same user or related accounts to determine if this activity is part of a broader attack or compromise.
+- Contact the user or their manager to verify if the deletions were intentional and authorized, and gather any additional context that might explain the activity.
+- Assess the impact of the deletions on business operations and data integrity, and determine if any recovery actions are necessary to restore critical files.
+
+### False positive analysis
+
+- High-volume legitimate deletions during data migration or cleanup projects can trigger false positives. To manage this, create exceptions for users or groups involved in these activities during the specified time frame.
+- Automated processes or scripts that perform bulk deletions as part of routine maintenance may be flagged. Identify these processes and whitelist them to prevent unnecessary alerts.
+- Users with roles in data management or IT support may regularly delete large volumes of files as part of their job responsibilities. Establish a baseline for these users and adjust the detection thresholds accordingly.
+- Temporary spikes in file deletions due to organizational changes, such as department restructuring, can be mistaken for malicious activity. Monitor these events and temporarily adjust the rule parameters to accommodate expected changes.
+- Regularly review and update the list of exceptions to ensure that only legitimate activities are excluded from alerts, maintaining the effectiveness of the detection rule.
+
+### Response and remediation
+
+- Immediately isolate the affected user account to prevent further unauthorized file deletions. This can be done by disabling the account or changing the password.
+- Review the audit logs to identify the scope of the deletion and determine if any critical or sensitive files were affected. Restore these files from backups if available.
+- Conduct a thorough review of the affected user's recent activities to identify any other suspicious actions or potential indicators of compromise.
+- Escalate the incident to the security operations team for further investigation and to determine if the deletion is part of a larger attack or breach.
+- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further unusual activities.
+- Review and update access controls and permissions to ensure that users have the minimum necessary access to perform their job functions, reducing the risk of large-scale deletions.
+- Coordinate with the IT and security teams to conduct a post-incident review, identifying any gaps in the response process and implementing improvements to prevent recurrence.
+
+## Setup
+
+The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+"""
+references = [
+    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
+    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
+]
+risk_score = 47
+rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745"
+severity = "medium"
+tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1485"
+name = "Data Destruction"
+reference = "https://attack.mitre.org/techniques/T1485/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+

nldcsc_elastic_rules/rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

@@ -0,0 +1,105 @@
+[metadata]
+creation_date = "2025/08/19"
+integration = ["o365"]
+maturity = "production"
+promotion = true
+updated_date = "2025/09/01"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
+Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
+"""
+false_positives = [
+    """
+    Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is
+    misclassified as a threat.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "M365 Threat Intelligence Signal"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating M365 Threat Intelligence Signal
+
+Microsoft 365 Threat Intelligence leverages audit logs to monitor activities across services like Exchange Online and SharePoint. Adversaries may exploit these platforms for phishing, gaining initial access. The detection rule identifies signals from Microsoft Defender, focusing on audit logs tagged with "ThreatIntelligence," to pinpoint potential abuse, assigning a medium risk score to such events.
+
+### Possible investigation steps
+
+- Review the audit logs filtered by event.dataset: "o365.audit" and event.provider: "ThreatIntelligence" to identify the specific activities flagged by the rule.
+- Examine the user accounts associated with the flagged activities to determine if they have been compromised or are behaving anomalously.
+- Investigate the source IP addresses and locations associated with the flagged events to identify any unusual or suspicious access patterns.
+- Check for any related alerts or signals in Microsoft Defender for Office 365 that might provide additional context or corroborate the threat.
+- Assess the potential impact on Exchange Online, SharePoint Online, and OneDrive for Business by reviewing any changes or access attempts to sensitive data or configurations.
+- Determine if the flagged activities align with known phishing techniques (MITRE ATT&CK T1566) and assess the likelihood of initial access attempts.
+
+### False positive analysis
+
+- Routine administrative activities in Exchange Online or SharePoint Online may trigger audit logs tagged with "ThreatIntelligence" without indicating malicious intent. Review these logs to identify patterns of legitimate administrative actions and consider excluding them from the detection rule.
+- Automated processes or third-party integrations with Microsoft 365 services can generate audit logs similar to those flagged by the rule. Identify these processes and create exceptions for known benign activities to reduce false positives.
+- Frequent file sharing or collaboration activities in OneDrive for Business might be misinterpreted as potential threats. Analyze the context of these activities and exclude regular business operations from the rule to prevent unnecessary alerts.
+- Regular updates or maintenance tasks performed by IT staff can appear as suspicious activities. Establish a baseline of expected behavior during these periods and adjust the detection rule to accommodate these known activities.
+- User training sessions or onboarding processes may involve actions that mimic initial access tactics. Monitor these events and exclude them from the rule when they align with scheduled training or onboarding activities.
+
+### Response and remediation
+
+- Immediately isolate any affected accounts or systems identified in the audit logs to prevent further unauthorized access or data exfiltration.
+- Conduct a thorough review of the audit logs to identify any additional suspicious activities or compromised accounts related to the Threat Intelligence signals.
+- Reset passwords for compromised accounts and enforce multi-factor authentication to enhance security and prevent further unauthorized access.
+- Notify relevant stakeholders, including IT security teams and management, about the incident and potential impact, ensuring alignment on response actions.
+- Escalate the incident to Microsoft support if necessary, providing detailed information from the audit logs to assist in further investigation and resolution.
+- Implement additional monitoring and alerting for similar threat indicators to enhance detection capabilities and prevent recurrence.
+- Review and update security policies and configurations for Exchange Online, SharePoint Online, and OneDrive for Business to mitigate vulnerabilities exploited by adversaries.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/purview/audit-supported-services",
+    "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
+]
+risk_score = 47
+rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Defender",
+    "Data Source: Microsoft Defender Threat Intelligence",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+

nldcsc_elastic_rules/rules/integrations/o365/initial_access_entra_id_portal_login_atypical_travel.toml

@@ -0,0 +1,132 @@
+[metadata]
+creation_date = "2024/09/04"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/10/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not
+commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft
+365 account from an unusual location or behind a VPN.
+"""
+false_positives = [
+    """
+    False positives may occur when users are using a VPN or when users are traveling to different locations"
+    """,
+    """
+    Mobile access may also result in false positives, as users may log in from various locations while on the go.
+    """,
+]
+from = "now-15m"
+index = ["logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Identity Login from Atypical Travel Location"
+note = """## Triage and analysis
+
+### Investigating M365 Identity Login from Atypical Travel Location
+
+Microsoft 365 is a cloud-based suite offering productivity tools accessible from anywhere, making it crucial for business operations. Adversaries may exploit this by logging in from uncommon locations, potentially using VPNs to mask their origin. The detection rule identifies successful logins from atypical locations, flagging potential unauthorized access attempts by analyzing login events and user location patterns.
+
+### Possible investigation steps
+
+- Review the user associated with these sign-ins to determine if the login attempt was legitimate or if further investigation is needed.
+- Analyze the geographic locations of the logins to identify any patterns or anomalies that may indicate malicious activity.
+- Review the ISP information for the login attempts to identify any unusual or suspicious providers.
+- Review the authorization request type to understand the context of the login attempts and whether they align with the user's typical behavior.
+- Analyze the client application used for the login attempts to determine if it is consistent with the user's normal usage patterns (Teams, Office, etc.)
+- Analyze the user-agent associated with the login attempts to identify any unusual or suspicious patterns. These could also indicate mobile and endpoint logins causing false-positives.
+
+### False positive analysis
+
+- Users traveling or using VPNs may trigger this alert. Verify with the user if they were traveling or using a VPN at the time of the login attempt.
+- Mobile access may also result in false positives, as users may log in from various locations while on the go.
+
+### Response and remediation
+
+- Investigate the login attempt further by checking for any additional context or related events that may provide insight into the user's behavior.
+- If the login attempt is deemed suspicious, consider implementing additional security measures, such as requiring multi-factor authentication (MFA) for logins from unusual locations.
+- Educate users about the risks of accessing corporate resources from unfamiliar locations and the importance of using secure connections (e.g., VPNs) when doing so.
+- Monitor for any subsequent login attempts from the same location or IP address to identify potential patterns of malicious activity.
+- Consider adding exceptions to this rule for the user or source application ID if the login attempts are determined to be legitimate and not a security concern.
+"""
+references = ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"]
+risk_score = 47
+rule_id = "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Threat Detection",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:o365.audit and
+    event.provider:AzureActiveDirectory and
+    event.action:UserLoggedIn and
+    event.outcome:success and
+    o365.audit.Target.Type:(0 or 10 or 2 or 3 or 5 or 6) and
+    o365.audit.UserId:(* and not "Not Available") and
+    source.geo.region_iso_code:* and
+    not o365.audit.ApplicationId:(
+        29d9ed98-a469-4536-ade2-f981bc1d605e or
+        38aa3b87-a06d-4817-b275-7a316988d93b or
+        a809996b-059e-42e2-9866-db24b99a9782
+    ) and not o365.audit.ExtendedProperties.RequestType:(
+        "Cmsi:Cmsi" or
+        "Consent:Set" or
+        "Login:reprocess" or
+        "Login:resume" or
+        "MessagePrompt:MessagePrompt" or
+        "SAS:EndAuth"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "organization.id",
+    "o365.audit.UserId",
+    "o365.audit.ActorIpAddress",
+    "o365.audit.ApplicationId",
+    "o365.audit.ExtendedProperties.RequestType",
+    "o365.audit.Target.ID",
+    "source.geo.region_iso_code",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["o365.audit.UserId", "source.geo.region_iso_code"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+
+