diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml new file mode 100644 index 0000000000..078d2c843c --- /dev/null +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -0,0 +1,77 @@ +name: O365 Email Transport Rule Changed +id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2 +version: 1 +date: '2025-01-15' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. +data_source: +- O365 +search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" +| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) +| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation +| rename UserId as user, Operation as signature +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_transport_rule_changed_filter`' +how_to_implement: +known_false_positives: Legitimate administrative changes for business needs. +references: +- https://attack.mitre.org/techniques/T1114/003/ +- https://cardinalops.com/blog/cardinalops-contributes-new-mitre-attck-techniques-related-to-abuse-of-mail-transport-rules/ +- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate changes by $user$ + search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user [$user$] altered the exchange transport rule id $object_id$ [$object_name$] + mitre_attack_id: + - T1114.003 + - T1564.008 + observable: + - name: user + type: user + role: + - Victim + - name: object_id + type: Other + role: + - Attacker + - name: object_name + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Workload + - Operation + - UserId + - Parameters{}.Name + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log + source: o365 + sourcetype: o365:management:activity