Merge PR #4401 from @cyb3rjy0t - Add New O365 Related Rules

new: Disabling Multi Factor Authenication new: New Federated Domain Added update: New Federated Domain Added - Exchange --------- Co-authored-by: frack113 <[email protected]> Co-authored-by: Nasreddine Bencherchali <[email protected]>
SigmaHQ · Sep 18, 2023 · 229b70f · 229b70f
1 parent 216a378
commit 229b70f
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 3 deletions.
diff --git a/rules/cloud/m365/microsoft365_disabling_mfa.yml b/rules/cloud/m365/microsoft365_disabling_mfa.yml
@@ -0,0 +1,21 @@
+title: Disabling Multi Factor Authenication
+id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
+status: experimental
+description: Detects disabling of Multi Factor Authencation.
+references:
+    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
+author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
+date: 2023/09/18
+tags:
+    - attack.persistence
+    - attack.t1556
+logsource:
+    service: audit
+    product: m365
+detection:
+    selection:
+        Operation|contains: 'Disable Strong Authenication.'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/cloud/m365/microsoft365_new_federated_domain_added_audit.yml b/rules/cloud/m365/microsoft365_new_federated_domain_added_audit.yml
@@ -0,0 +1,29 @@
+title: New Federated Domain Added
+id: 58f88172-a73d-442b-94c9-95eaed3cbb36
+related:
+    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
+      type: similar
+status: experimental
+description: Detects the addition of a new Federated Domain.
+references:
+    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
+    - https://o365blog.com/post/aadbackdoor/
+author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
+date: 2023/09/18
+tags:
+    - attack.persistence
+    - attack.t1136.003
+logsource:
+    service: audit
+    product: m365
+detection:
+    selection_domain:
+        Operation|contains: 'domain'
+    selection_operation:
+        Operation|contains:
+            - 'add'
+            - 'new'
+    condition: all of selection_*
+falsepositives:
+    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
+level: medium
diff --git a/...crosoft365_new_federated_domain_added.yml → ...5_new_federated_domain_added_exchange.yml b/...crosoft365_new_federated_domain_added.yml → ...5_new_federated_domain_added_exchange.yml
@@ -1,14 +1,17 @@
-title: New Federated Domain Added
+title: New Federated Domain Added - Exchange
 id: 42127bdd-9133-474f-a6f1-97b6c08a4339
+related:
+    - id: 58f88172-a73d-442b-94c9-95eaed3cbb36
+      type: similar
 status: test
-description: Alert for the addition of a new federated domain.
+description: Detects the addition of a new Federated Domain.
 references:
     - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
     - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
     - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
     - https://www.sygnia.co/golden-saml-advisory
     - https://o365blog.com/post/aadbackdoor/
-author: '@ionsor'
+author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
 date: 2022/02/08
 tags:
     - attack.persistence

diff --git a/tests/logsource.json b/tests/logsource.json
@@ -315,6 +315,7 @@
             "empty": [],
             "category":{},
             "service":{
+                "audit":[],
                 "exchange":[],
                 "threat_detection":[],
                 "threat_management":[]