I went through the detection rules under SIEM security and did not find any related to Office 365. I opened a Github request for rules related to "impossible logins", "foreign country logins" "new inbox rule created", and a machine learning type rule where a user makes an unusual login from another location.
Can you confirm for me that if we are ingesting Microsoft 365 logs that there are not currently any types of detection rules and therefore no alerts would be generated?
Thanks,
Gary
Gary,
we've got rules for Azure and 365, and expect to continue developing new rules for 365 as well as a variety of other data sources. These rules will be included in the 7.11 release, but we merge rules to the detection-rules repository as they are approved - so users can quickly obtain access to important security capabilities as soon as they are ready. If you are already familiar with the 365 data source, our [detection-rules repository] (https://github.com/elastic/detection-rules) accepts community contributions and includes documentation for creating, testing, and submitting new rules. In the future we're looking into unsupervised ML jobs for 365, but are not anticipating a delivery in the near-term.
2 Likes
I reviewed our data in light of the brute force query.
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure
When I search the event.action, I find actions such as MoveToDeletedItems, UserLoggedIn, Update, SoftDelete etc. but not UserLoginFailed. If I manually add the vaule UserLoginFailed in event.action filtering dialog box, apply it, there are no results.
I referenced the Office 365 audit logs and found a logon failure for an IP address from Russia. I search for that IP address in Elastic and in the resulting data there is an operation: UserLoginFailed.
Finally, I plugged UserLoginFailed in the search box without any fields, and there were a lot of results using fields Operation and Event.Outcome. After this, if I add the filter, event.outcome, UserLoginFailed is listed, and I am getting results.