renaming stories

detections/cloud/high_number_of_login_failures_from_a_single_source.yml

@@ -21,7 +21,7 @@ references:
 - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365
   confidence: 50
   impact: 50

detections/cloud/o365_add_app_role_assignment_grant_user.yml

@@ -25,7 +25,7 @@ references:
 - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_added_service_principal.yml

@@ -20,7 +20,7 @@ references:
 - https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack?hsLang=en
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_advanced_audit_disabled.yml

@@ -28,7 +28,7 @@ references:
 - https://www.csoonline.com/article/570381/microsoft-365-advanced-audit-what-you-need-to-know.html
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 80
   impact: 40

detections/cloud/o365_application_registration_owner_added.yml

@@ -21,7 +21,7 @@ references:
 - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   atomic_guid:
   - UPDATE atomic_guid

detections/cloud/o365_applicationimpersonation_role_assigned.yml

@@ -19,7 +19,7 @@ references:
 - https://www.mandiant.com/media/17656
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365 
   confidence: 70
   impact: 80

detections/cloud/o365_bypass_mfa_via_trusted_ip.yml

@@ -26,7 +26,7 @@ references:
 - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 60
   impact: 70

detections/cloud/o365_disable_mfa.yml

@@ -20,7 +20,7 @@ references:
 - https://attack.mitre.org/techniques/T1556/
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 80
   impact: 80

detections/cloud/o365_excessive_authentication_failures_alert.yml

@@ -22,7 +22,7 @@ references:
 - https://attack.mitre.org/techniques/T1110/
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365
   confidence: 80
   impact: 80

detections/cloud/o365_excessive_sso_logon_errors.yml

@@ -17,7 +17,7 @@ references:
 - https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 80

detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml

@@ -28,7 +28,7 @@ references:
 - https://github.com/AlteredSecurity/365-Stealer
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 50
   impact: 80

detections/cloud/o365_high_number_of_failed_authentications_for_user.yml

@@ -19,7 +19,7 @@ references:
 - https://attack.mitre.org/techniques/T1110/001/
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: O365 tenant
   confidence: 70
   impact: 50

detections/cloud/o365_high_privilege_role_granted.yml

@@ -25,7 +25,7 @@ references:
 - https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365 tenant
   confidence: 60
   impact: 80

detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml

@@ -29,7 +29,7 @@ references:
 - https://github.com/AlteredSecurity/365-Stealer
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 50
   impact: 80

detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml

@@ -19,7 +19,7 @@ references:
 - https://www.blackhillsinfosec.com/abusing-exchange-mailbox-permissions-mailsniper/
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365 Tenant
   confidence: 70
   impact: 80

detections/cloud/o365_mailbox_read_access_granted_to_application.yml

@@ -35,7 +35,7 @@ references:
 - https://graphpermissions.merill.net/permission/Mail.Read
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365 tenant
   confidence: 50
   impact: 90

detections/cloud/o365_multi_source_failed_authentications_spike.yml

@@ -23,7 +23,7 @@ references:
 - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: O365 tenant
   atomic_guid: []
   confidence: 60

detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml

@@ -21,7 +21,7 @@ references:
 - https://www.youtube.com/watch?v=SK1zgqaAZ2E
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 
   confidence: 80
   impact: 60

detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml

@@ -19,7 +19,7 @@ references:
 - https://attack.mitre.org/techniques/T1621/
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 80
   impact: 60

detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml

@@ -21,7 +21,7 @@ references:
 - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 90
   impact: 70

detections/cloud/o365_new_federated_domain_added.yml

@@ -24,7 +24,7 @@ references:
 - https://o365blog.com/post/aadbackdoor/
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Cloud Federated Credential Abuse
   asset_type: Office 365
   confidence: 80

detections/cloud/o365_new_mfa_method_registered.yml

@@ -30,7 +30,7 @@ references:
 - https://www.csoonline.com/article/573451/sophisticated-bec-scammers-bypass-microsoft-365-multi-factor-authentication.html
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365 tenant
   confidence: 50
   impact: 60

detections/cloud/o365_pst_export_alert.yml

@@ -19,7 +19,7 @@ references:
 - https://attack.mitre.org/techniques/T1114/
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Data Exfiltration
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_service_principal_new_client_credentials.yml

@@ -23,7 +23,7 @@ references:
 - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications 
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 50
   impact: 70

detections/cloud/o365_suspicious_admin_email_forwarding.yml

@@ -19,7 +19,7 @@ known_false_positives: unknown
 references: []
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Data Exfiltration
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_suspicious_rights_delegation.yml

@@ -20,7 +20,7 @@ references:
 - https://attack.mitre.org/techniques/T1114/002/
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 60
   impact: 80

detections/cloud/o365_suspicious_user_email_forwarding.yml

@@ -19,7 +19,7 @@ known_false_positives: unknown
 references: []
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   - Data Exfiltration
   asset_type: Office 365
   confidence: 60

detections/cloud/o365_tenant_wide_admin_consent_granted.yml

@@ -25,7 +25,7 @@ references:
 - https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ 
 tags:
   analytic_story:
-  - O365 Persistence Mechanisms
+  - Office 365 Persistence Mechanisms
   asset_type: Office 365
   confidence: 50
   impact: 90

detections/cloud/o365_user_consent_blocked_for_risky_application.yml

@@ -27,7 +27,7 @@ references:
 - https://github.com/AlteredSecurity/365-Stealer
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 100
   impact: 30

detections/cloud/o365_user_consent_denied_for_oauth_application.yml

@@ -24,7 +24,7 @@ references:
 - https://github.com/AlteredSecurity/365-Stealer
 tags:
   analytic_story:
-  - O365 Identity Compromise Techniques
+  - Office 365 Account Takeover
   asset_type: Office 365 tenant
   confidence: 100
   impact: 30

stories/o365_identity_compromise_techniques.yml

@@ -1,13 +1,13 @@
-name: O365 Identity Compromise Techniques
+name: Office 365 Account Takeover
 id: d5f34d9d-d330-4f9e-a62e-ceb6f7bb1f85
 version: 1
 date: '2023-10-24'
 author: Mauricio Velazco, Splunk
-description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. The "O365 Identity Compromise Techniques" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Recognizing these early indicators is pivotal, forming the frontline of defense against unauthorized access and potential security incidents.
+description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. As O365's importance grows, it increasingly becomes a target for attackers seeking to exploit organizational data and systems. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Recognizing these early indicators is pivotal, forming the frontline of defense against unauthorized access and potential security incidents.
 narrative: Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.
 references: []
 tags:
-  analytic_story: O365 Identity Compromise Techniques
+  analytic_story: Office 365 Account Takeover
   category:
   - Adversary Tactics
   - Account Compromise

stories/o365_persistence_mechanisms.yml

@@ -1,13 +1,13 @@
-name: O365 Persistence Mechanisms
+name: Office 365 Persistence Mechanisms
 id: d230a106-0475-4605-a8d8-abaf4c31ced7
 version: 1
 date: '2023-10-17'
 author: Mauricio Velazco, Splunk
-description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. The "O365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. Recognizing these indicators is crucial, as persistent threats can lead to long-term data exfiltration, further system compromises, and a range of other malicious activities. Monitoring for signs of persistence ensures that organizations can detect and respond to these stealthy threats, safeguarding their O365 assets and data.
+description: Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. Given the centralized storage of sensitive organizational data within O365 and its widespread adoption, it has become a focal point for cybersecurity efforts. The platform's complexity, combined with its ubiquity, makes it both a valuable asset and a prime target for potential threats. The "Office 365 Persistence Mechanisms" analytic story delves into the tactics and techniques attackers employ to maintain prolonged unauthorized access within the O365 environment. Persistence in this context refers to methods used by adversaries to keep their foothold after an initial compromise. This can involve actions like modifying mailbox rules, establishing covert forwarding rules, manipulating application permissions. Recognizing these indicators is crucial, as persistent threats can lead to long-term data exfiltration, further system compromises, and a range of other malicious activities. Monitoring for signs of persistence ensures that organizations can detect and respond to these stealthy threats, safeguarding their O365 assets and data.
 narrative: Monitor for activities and anomalies indicative of potential persistence techniques within Office 365 environments.
 references: []
 tags:
-  analytic_story: O365 Persistence Mechanisms
+  analytic_story: Office 365 Persistence Mechanisms
   category:
   - Adversary Tactics
   - Account Compromise