From 82c6ddd8e81df8e860c45bf91765ec5f1783ca70 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 13:28:38 -0500 Subject: [PATCH 01/51] Add files via upload --- macros/o365_messagetrace.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 macros/o365_messagetrace.yml diff --git a/macros/o365_messagetrace.yml b/macros/o365_messagetrace.yml new file mode 100644 index 0000000000..68c4faf2a2 --- /dev/null +++ b/macros/o365_messagetrace.yml @@ -0,0 +1,3 @@ +definition:sourcetype IN ("ms:o365:reporting:messagetrace","o365:reporting:messagetrace") +description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. +name: o365_messagetrace \ No newline at end of file From 1a673075d90727afce998662a78c4cf7f840e28b Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 13:29:15 -0500 Subject: [PATCH 02/51] Add files via upload --- ...365_email_hard_delete_excessive_volume.yml | 75 ++++++++++++ .../o365_email_new_inbox_rule_created.yml | 73 ++++++++++++ ...ssword_and_payroll_compromise_behavior.yml | 104 +++++++++++++++++ ...eive_and_hard_delete_takeover_behavior.yml | 107 +++++++++++++++++ ..._and_hard_delete_exfiltration_behavior.yml | 110 ++++++++++++++++++ ...nd_and_hard_delete_suspicious_behavior.yml | 85 ++++++++++++++ ...mail_send_attachments_excessive_volume.yml | 101 ++++++++++++++++ 7 files changed, 655 insertions(+) create mode 100644 detections/cloud/o365_email_hard_delete_excessive_volume.yml create mode 100644 detections/cloud/o365_email_new_inbox_rule_created.yml create mode 100644 detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml create mode 100644 detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml create mode 100644 detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml create mode 100644 detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml create mode 100644 detections/cloud/o365_email_send_attachments_excessive_volume.yml diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml new file mode 100644 index 0000000000..6874f16d63 --- /dev/null +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -0,0 +1,75 @@ +name: O365 Email Hard Delete Excessive Volume +id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +| bin _time span=1hr +| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user +| where count > 50 OR file_size > 10 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_hard_delete_excessive_volume_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + - Data Destruction + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + mitre_attack_id: + - T1070 + - T1070.008 + - T1485 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Workload + - Folder.Path + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml new file mode 100644 index 0000000000..055a9bf470 --- /dev/null +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -0,0 +1,73 @@ +name: O365 Email New Inbox Rule Created +id: 449f525a-7b42-47be-96a7-d9724e336c19 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) +| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' +| stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_new_inbox_rule_created_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Inbox Rules for $user$ + search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Collection Techniques + asset_type: Cloud + confidence: 40 + impact: 40 + message: A new email inbox rule was created for $user$ + mitre_attack_id: + - T1114 + - T1114.003 + - T1564.008 + observable: + - name: user + type: User + role: + - Victim + - name: desc + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Workload + - Operation + - Parameters{}.Name + - UserId + - Name + risk_score: 10 + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml new file mode 100644 index 0000000000..bf32886805 --- /dev/null +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -0,0 +1,104 @@ +name: O365 Email Password and Payroll Compromise Behavior +id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") +| eval mailtime = _time +| bin _time span=4hr +| eval user = lower(RecipientAddress) +| eval InternetMessageId = lower(MessageId) +| join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*password*","*passcode*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) + ] +| stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time +| search subject IN ("*direct deposit*","*banking*") AND subject IN ("*password*","*passcode*") +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_password_and_payroll_compromise_behavior_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Unknown, unlikely. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: Cloud + confidence: 90 + impact: 100 + message: The user $user$ received and deleted password and payroll change emails within a short timeframe + mitre_attack_id: + - T1114 + - T1070.008 + - T1485 + - T1070 + - T1114.001 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - RecipientAddress + - MessageId + - subject + - Workload + - Operation + - Subject + - AffectedItems{} + - InternetMessageId + - UserId + risk_score: 90 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace \ No newline at end of file diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml new file mode 100644 index 0000000000..102e5f4c90 --- /dev/null +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -0,0 +1,107 @@ +name: O365 Email Receive and Hard Delete Takeover Behavior +id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") +| eval mailtime = _time +| bin _time span=4hr +| eval user = lower(RecipientAddress) +| eval InternetMessageId = lower(MessageId) +| join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject + ] +| stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(ClientProcessName) as process, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_receive_and_hard_delete_takeover_behavior_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Possible new user/account onboarding processes. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: Cloud + confidence: 80 + impact: 100 + message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information + mitre_attack_id: + - T1114 + - T1070.008 + - T1485 + - T1070 + - T1114.001 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + - name: subject + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - subject + - RecipientAddress + - MessageId + - Workload + - Operation + - Folder.Path + - InternetMessageId + - UserId + - Subject + risk_score: 80 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace \ No newline at end of file diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml new file mode 100644 index 0000000000..d82279f660 --- /dev/null +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -0,0 +1,110 @@ +name: O365 Email Send and Hard Delete Exfiltration Behavior +id: dd7798cf-c4f5-4114-ad0f-beacd9a33708 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: '`o365_messagetrace` Status=Delivered +| eval mailtime = _time +| bin _time span=1hr +| eval user = lower(SenderAddress), recipient = lower(RecipientAddress) +| eval InternetMessageId = lower(MessageId) +| join InternetMessageId, user, max=0 + [ + | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user + | where opcount > 1 AND firstTime < lastTime + ] +| stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization +| eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) +| where externalRecipient = 1 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_send_and_hard_delete_exfiltration_behavior_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: Cloud + confidence: 80 + impact: 50 + message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe + mitre_attack_id: + - T1114 + - T1114.001 + - T1070 + - T1070.008 + - T1485 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + - name: subject + type: Other + role: + - Attacker + - name: recipient + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Status + - SenderAddress + - MessageId + - InternetMessageId + - Workload + - Folder.Path + - Organization + risk_score: 40 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace \ No newline at end of file diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml new file mode 100644 index 0000000000..42e4e07b6a --- /dev/null +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -0,0 +1,85 @@ +name: O365 Email Send and Hard Delete Suspicious Behavior +id: c97b3d72-0a47-46f9-b742-b89f1cc2d551 +version: 1 +date: '2025-01-20' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +| eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) +| eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) +| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user +| eval timediff = tonumber(lastTime) - tonumber(firstTime) +| where opcount > 1 AND firstTime < lastTime AND timediff < 3600 +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_send_and_hard_delete_suspicious_behavior_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search [CHANGEME_FIELD] = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: Cloud + confidence: 50 + impact: 40 + message: The user $user$ sent and hard deleted an email within a short timeframe + mitre_attack_id: + - T1114 + - T1114.001 + - T1070 + - T1070.008 + - T1485 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + - name: subject + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Workload + - Operation + - Folder.Path + risk_score: 20 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml new file mode 100644 index 0000000000..5d7c404905 --- /dev/null +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -0,0 +1,101 @@ +name: O365 Email Send Attachments Excessive Volume +id: 70a050a2-8537-488a-a628-b60a9558d96a +version: 1 +date: '2024-11-07' +date: '2025-01-20' +author: Steven Dick +type: Anomaly +description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: '`o365_messagetrace` Status=Delivered +| eval mailtime = _time +| bin _time span=1hr +| eval user = lower(SenderAddress), recipient = lower(RecipientAddress) +| eval InternetMessageId = lower(MessageId) +| join InternetMessageId, user, _time max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | bin _time span=1hr + | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) + | search file_name=* + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId + | where count > 25 + | eval file_name = mvjoin(file_name,"||") + ] +| eval file_name = split(file_name,"||") +| stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId +| eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) +| search recipient = * +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_send_attachments_excessive_volume_filter`' +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users or processes that are send a larage number of attachments may trigger this alert, adjust thresholds accordingly. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + asset_type: Cloud + confidence: 50 + impact: 30 + message: The user $user$ sent an excessing number of email attachments [$count$] to external recipient(s) within a short timeframe + mitre_attack_id: + - T1070 + - T1070.008 + - T1485 + observable: + - name: user + type: User + role: + - Victim + - name: src + type: IP Address + role: + - Attacker + - name: recipient + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Status + - SenderAddress + - InternetMessageId + - Workload + - Operation + risk_score: 15 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace \ No newline at end of file From 07041b951eacb05e36b52ee70aa60eca394f12db Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:14:45 -0500 Subject: [PATCH 03/51] Update o365_messagetrace.yml --- macros/o365_messagetrace.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/macros/o365_messagetrace.yml b/macros/o365_messagetrace.yml index 68c4faf2a2..d5952e2539 100644 --- a/macros/o365_messagetrace.yml +++ b/macros/o365_messagetrace.yml @@ -1,3 +1,3 @@ -definition:sourcetype IN ("ms:o365:reporting:messagetrace","o365:reporting:messagetrace") +definition: sourcetype IN ("ms:o365:reporting:messagetrace","o365:reporting:messagetrace") description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. -name: o365_messagetrace \ No newline at end of file +name: o365_messagetrace From fd71c81062595232313257300700850044e89592 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:39:55 -0500 Subject: [PATCH 04/51] Update o365_email_password_and_payroll_compromise_behavior.yml --- ...365_email_password_and_payroll_compromise_behavior.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index bf32886805..94f48e226b 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -9,7 +9,7 @@ description: The following analytic identifies when an O365 email recipient rece data_source: - Office 365 Universal Audit Log - Office 365 Reporting Message Trace -search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") +search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") | eval mailtime = _time | bin _time span=4hr | eval user = lower(RecipientAddress) @@ -20,13 +20,13 @@ search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*passwo | spath path=AffectedItems{} output=AffectedItemSplit | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit | mvexpand AffectedItemSplit | spath input=AffectedItemSplit - | search Subject IN ("*banking*","*direct deposit*","*password*","*passcode*") + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") | eval deltime = _time | bin _time span=4hr | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) ] | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time -| search subject IN ("*direct deposit*","*banking*") AND subject IN ("*password*","*passcode*") +| search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_password_and_payroll_compromise_behavior_filter`' @@ -101,4 +101,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace \ No newline at end of file + sourcetype: o365:reporting:messagetrace From f91a3cc925db4e1a5d42a6df25214426f06bc27f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:53:35 -0500 Subject: [PATCH 05/51] Update o365_email_hard_delete_excessive_volume.yml --- ...365_email_hard_delete_excessive_volume.yml | 30 +++++++------------ 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 6874f16d63..6344fda67d 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -35,41 +35,33 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Office 365 Account Takeover - Suspicious Emails - Data Destruction - asset_type: Cloud - confidence: 50 - impact: 50 - message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + asset_type: O365 Tenant mitre_attack_id: - T1070 - T1070.008 - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Folder.Path - risk_score: 25 security_domain: threat tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From 4f52d3b01e31b58b2b8cb63e418aebc6f1641b4e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 08:59:58 -0500 Subject: [PATCH 06/51] Update o365_email_new_inbox_rule_created.yml --- .../o365_email_new_inbox_rule_created.yml | 32 +++++++------------ 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 055a9bf470..610d291bf5 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -33,41 +33,31 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A new email inbox rule was created for $user$ + risk_objects: + - field: user + type: user + score: 10 + threat_objects: + - field: desc + type: signature tags: analytic_story: - Office 365 Collection Techniques - asset_type: Cloud - confidence: 40 - impact: 40 - message: A new email inbox rule was created for $user$ + asset_type: O365 Tenant mitre_attack_id: - T1114 - T1114.003 - T1564.008 - observable: - - name: user - type: User - role: - - Victim - - name: desc - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Workload - - Operation - - Parameters{}.Name - - UserId - - Name - risk_score: 10 security_domain: audit tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From f2218b3065193597876ff75753157670edf43d2e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:05:45 -0500 Subject: [PATCH 07/51] Update o365_email_password_and_payroll_compromise_behavior.yml --- ...ssword_and_payroll_compromise_behavior.yml | 35 ++++++------------- 1 file changed, 10 insertions(+), 25 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index 94f48e226b..02b0eb9945 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -49,47 +49,32 @@ drilldown_searches: search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted password and payroll change emails within a short timeframe + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src + type: ip_address tags: analytic_story: - Office 365 Account Takeover - Office 365 Collection Techniques - Suspicious Emails - Data Destruction - asset_type: Cloud - confidence: 90 - impact: 100 - message: The user $user$ received and deleted password and payroll change emails within a short timeframe + asset_type: O365 Tenant mitre_attack_id: - T1114 - T1070.008 - T1485 - T1070 - T1114.001 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - RecipientAddress - - MessageId - - subject - - Workload - - Operation - - Subject - - AffectedItems{} - - InternetMessageId - - UserId - risk_score: 90 security_domain: threat tests: - name: True Positive Test From ae0ed6024e7e70ff6c29ace093b98ca34d595990 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:13:00 -0500 Subject: [PATCH 08/51] Update o365_email_receive_and_hard_delete_takeover_behavior.yml --- ...eive_and_hard_delete_takeover_behavior.yml | 43 ++++++------------- 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index 102e5f4c90..2fcb49b284 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -48,51 +48,34 @@ drilldown_searches: search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information + risk_objects: + - field: user + type: user + score: 80 + threat_objects: + - field: subject + type: signature + - field: src + type: ip_address tags: analytic_story: - Office 365 Account Takeover - Office 365 Collection Techniques - Suspicious Emails - Data Destruction - asset_type: Cloud - confidence: 80 - impact: 100 - message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information + asset_type: O365 Tenant mitre_attack_id: - T1114 - T1070.008 - T1485 - T1070 - T1114.001 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: subject - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - subject - - RecipientAddress - - MessageId - - Workload - - Operation - - Folder.Path - - InternetMessageId - - UserId - - Subject - risk_score: 80 security_domain: threat tests: - name: True Positive Test @@ -104,4 +87,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace \ No newline at end of file + sourcetype: o365:reporting:messagetrace From 518a7b8aea693032bdeab065e0dbfb1784fa9b18 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:19:48 -0500 Subject: [PATCH 09/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- ..._and_hard_delete_exfiltration_behavior.yml | 48 +++++++------------ 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index d82279f660..a277dac454 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -49,53 +49,37 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe + risk_objects: + - field: user + type: user + score: 40 + - field: recipient + type: user + score: 40 + threat_objects: + - field: src + type: ip_address + - field: subject + type: signature tags: analytic_story: - Office 365 Account Takeover - Office 365 Collection Techniques - Suspicious Emails - Data Destruction - asset_type: Cloud - confidence: 80 - impact: 50 - message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe + asset_type: O365 Tenant mitre_attack_id: - T1114 - T1114.001 - T1070 - T1070.008 - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: subject - type: Other - role: - - Attacker - - name: recipient - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Status - - SenderAddress - - MessageId - - InternetMessageId - - Workload - - Folder.Path - - Organization - risk_score: 40 security_domain: threat tests: - name: True Positive Test @@ -107,4 +91,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace \ No newline at end of file + sourcetype: o365:reporting:messagetrace From fcca5726811e89bdf63c8a33c7a896eb4706cb24 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:21:53 -0500 Subject: [PATCH 10/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- ...nd_and_hard_delete_suspicious_behavior.yml | 37 +++++++------------ 1 file changed, 13 insertions(+), 24 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index 42e4e07b6a..4eeff8c0a5 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -37,49 +37,38 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: ip_address + - field: subject + type: signature tags: analytic_story: - Office 365 Account Takeover - Office 365 Collection Techniques - Suspicious Emails - Data Destruction - asset_type: Cloud - confidence: 50 - impact: 40 - message: The user $user$ sent and hard deleted an email within a short timeframe + asset_type: O365 Tenant mitre_attack_id: - T1114 - T1114.001 - T1070 - T1070.008 - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: subject - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Workload - - Operation - - Folder.Path - risk_score: 20 security_domain: threat tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From ef906974fd7ca0f694bcaa0ebc8bb7a579acad29 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 09:23:41 -0500 Subject: [PATCH 11/51] Update o365_email_send_attachments_excessive_volume.yml --- ...mail_send_attachments_excessive_volume.yml | 39 +++++++------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 5d7c404905..a9380415a0 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -50,43 +50,30 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user $user$ sent an excessive number of email attachments [$count$] to external recipient(s) within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: recipient + type: user + - field: src + type: ip_address tags: analytic_story: - Office 365 Account Takeover - Suspicious Emails - asset_type: Cloud - confidence: 50 - impact: 30 - message: The user $user$ sent an excessing number of email attachments [$count$] to external recipient(s) within a short timeframe + asset_type: O365 Tenant mitre_attack_id: - T1070 - T1070.008 - T1485 - observable: - - name: user - type: User - role: - - Victim - - name: src - type: IP Address - role: - - Attacker - - name: recipient - type: User - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - _time - - Status - - SenderAddress - - InternetMessageId - - Workload - - Operation - risk_score: 15 security_domain: threat tests: - name: True Positive Test @@ -98,4 +85,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace \ No newline at end of file + sourcetype: o365:reporting:messagetrace From e43b248cde6340ba2d58dfbc605e841d8b23a256 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:15:55 -0500 Subject: [PATCH 12/51] Update o365_email_hard_delete_excessive_volume.yml --- detections/cloud/o365_email_hard_delete_excessive_volume.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 6344fda67d..9c0f857a8d 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -9,7 +9,8 @@ description: The following analytic identifies when an O365 email account hard d data_source: - Office 365 Universal Audit Log search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +| rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) | bin _time span=1hr | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user | where count > 50 OR file_size > 10 From e80959df598a8fe317816bc21952e4ad5c709bd4 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:18:21 -0500 Subject: [PATCH 13/51] Update o365_email_new_inbox_rule_created.yml --- detections/cloud/o365_email_new_inbox_rule_created.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 610d291bf5..b474fb2f14 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -9,10 +9,11 @@ description: The following analytic identifies the creation of new email inbox r data_source: - Office 365 Universal Audit Log search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) -| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' +| rename Parameters{}.* as Parameters_* +| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = Parameters_Name | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc | `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` +| `security_content_ctime(lastTime)` | `o365_email_new_inbox_rule_created_filter`' how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. From 4f8d3afec789893af0d2100c2ced7778b04166c4 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:21:33 -0500 Subject: [PATCH 14/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- .../o365_email_send_and_hard_delete_exfiltration_behavior.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index a277dac454..18bfd19f9f 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -17,7 +17,8 @@ search: '`o365_messagetrace` Status=Delivered | join InternetMessageId, user, max=0 [ | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower(Item_InternetMessageId) | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) | bin _time span=1hr From 77a4406dd9955ed3fd6bf33daa1909ed079970fd Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:22:42 -0500 Subject: [PATCH 15/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- .../o365_email_send_and_hard_delete_suspicious_behavior.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index 4eeff8c0a5..6e8e6a03d3 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -9,7 +9,8 @@ description: The following analytic identifies when an O365 email account sends data_source: - Office 365 Universal Audit Log search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +| rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user From d82a5bde870b7418771bc2440df68e19b613daf8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:24:11 -0500 Subject: [PATCH 16/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index a9380415a0..f88eaecffa 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -16,7 +16,8 @@ search: '`o365_messagetrace` Status=Delivered | join InternetMessageId, user, _time max=0 [ | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower(Item_InternetMessageId) | bin _time span=1hr | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) | search file_name=* From 2d09f571ba1e85bc4a72d9da7b7328ab65cd63fe Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:27:08 -0500 Subject: [PATCH 17/51] Update o365_email_hard_delete_excessive_volume.yml --- detections/cloud/o365_email_hard_delete_excessive_volume.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 9c0f857a8d..a1c85790c0 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -37,7 +37,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe risk_objects: - field: user type: user From 90e8edf83f923fe770d765ff3204369aa16c6531 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:11:37 -0500 Subject: [PATCH 18/51] Update o365_email_hard_delete_excessive_volume.yml --- .../cloud/o365_email_hard_delete_excessive_volume.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index a1c85790c0..63ee3687ee 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -8,15 +8,15 @@ type: Anomaly description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +search: |- +`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) | bin _time span=1hr | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user | where count > 50 OR file_size > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| `o365_email_hard_delete_excessive_volume_filter`' +| `o365_email_hard_delete_excessive_volume_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: @@ -65,4 +65,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity From 3181840600a3880498add5ec37c1e6b8b02384b7 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:12:42 -0500 Subject: [PATCH 19/51] Update o365_email_new_inbox_rule_created.yml --- detections/cloud/o365_email_new_inbox_rule_created.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index b474fb2f14..4bcb36adba 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -8,13 +8,13 @@ type: Anomaly description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) -| rename Parameters{}.* as Parameters_* -| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = Parameters_Name +search: |- +`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) +| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| `o365_email_new_inbox_rule_created_filter`' +| `o365_email_new_inbox_rule_created_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. references: From 729b47b8a75af1e520e45509a62ed6cc497c6664 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:13:48 -0500 Subject: [PATCH 20/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- ...il_send_and_hard_delete_exfiltration_behavior.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index 18bfd19f9f..c972c52ae8 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -9,7 +9,8 @@ description: The following analytic identifies when an O365 email account sends data_source: - Office 365 Universal Audit Log - Office 365 Reporting Message Trace -search: '`o365_messagetrace` Status=Delivered +search: |- +`o365_messagetrace` Status=Delivered | eval mailtime = _time | bin _time span=1hr | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) @@ -17,8 +18,7 @@ search: '`o365_messagetrace` Status=Delivered | join InternetMessageId, user, max=0 [ | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) - | rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower(Item_InternetMessageId) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) | bin _time span=1hr @@ -30,7 +30,7 @@ search: '`o365_messagetrace` Status=Delivered | where externalRecipient = 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| `o365_email_send_and_hard_delete_exfiltration_behavior_filter`' +| `o365_email_send_and_hard_delete_exfiltration_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: @@ -87,9 +87,9 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace + sourcetype: o365:reporting:messagetrace From 55f8c6203745e6c6704dbe6c6e5995ce5f6a087c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:14:54 -0500 Subject: [PATCH 21/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- ..._email_send_and_hard_delete_suspicious_behavior.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index 6e8e6a03d3..6b12a11bcd 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -8,9 +8,9 @@ type: Anomaly description: The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. data_source: - Office 365 Universal Audit Log -search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) +search: |- +`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) +| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user @@ -18,7 +18,7 @@ search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) O | where opcount > 1 AND firstTime < lastTime AND timediff < 3600 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| `o365_email_send_and_hard_delete_suspicious_behavior_filter`' +| `o365_email_send_and_hard_delete_suspicious_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: @@ -72,4 +72,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity From 184c5b599c18ff8fd6a181698f243cec7b2b789c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:16:44 -0500 Subject: [PATCH 22/51] Update o365_email_send_attachments_excessive_volume.yml --- .../o365_email_send_attachments_excessive_volume.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index f88eaecffa..6d0a1a04ac 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -8,7 +8,8 @@ type: Anomaly description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. data_source: - Office 365 Universal Audit Log -search: '`o365_messagetrace` Status=Delivered +search: |- +`o365_messagetrace` Status=Delivered | eval mailtime = _time | bin _time span=1hr | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) @@ -16,8 +17,7 @@ search: '`o365_messagetrace` Status=Delivered | join InternetMessageId, user, _time max=0 [ | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") - | rename AffectedItems{}.* as AffectedItems_*, Item.* as Item_* - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),Item_Subject,Operation IN ("SoftDelete","HardDelete"),AffectedItems_Subject)), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split(Item_Attachments,"; "),Operation IN ("SoftDelete","HardDelete"),split(AffectedItems_Attachments,"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber(Item_SizeInBytes)/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower(Item_InternetMessageId) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') | bin _time span=1hr | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) | search file_name=* @@ -31,7 +31,7 @@ search: '`o365_messagetrace` Status=Delivered | search recipient = * | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` -| `o365_email_send_attachments_excessive_volume_filter`' +| `o365_email_send_attachments_excessive_volume_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Users or processes that are send a larage number of attachments may trigger this alert, adjust thresholds accordingly. references: @@ -81,9 +81,9 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace + sourcetype: o365:reporting:messagetrace From 902bea93143c2f4b191ffa9f215580bc16701bde Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:17:15 -0500 Subject: [PATCH 23/51] Update o365_email_new_inbox_rule_created.yml --- detections/cloud/o365_email_new_inbox_rule_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 4bcb36adba..a1db177481 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -61,4 +61,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity From 14a41db645c19f58c18b867ae63656415a0d0bc9 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:17:39 -0500 Subject: [PATCH 24/51] Update o365_email_password_and_payroll_compromise_behavior.yml --- .../o365_email_password_and_payroll_compromise_behavior.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index 02b0eb9945..25886a3b57 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -81,9 +81,9 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace + sourcetype: o365:reporting:messagetrace From 23211045ed966d287682d9a94f699eeb91fd3f5f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:18:14 -0500 Subject: [PATCH 25/51] Update o365_email_receive_and_hard_delete_takeover_behavior.yml --- .../o365_email_receive_and_hard_delete_takeover_behavior.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index 2fcb49b284..58b6e8983b 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -82,9 +82,9 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 - sourcetype: o365:management:activity + sourcetype: o365:management:activity - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace - sourcetype: o365:reporting:messagetrace + sourcetype: o365:reporting:messagetrace From c900f262a19730801575ebd4179d59fde81225dc Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:24:57 -0500 Subject: [PATCH 26/51] Update o365_email_hard_delete_excessive_volume.yml --- .../o365_email_hard_delete_excessive_volume.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 63ee3687ee..7076329f3d 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -9,14 +9,14 @@ description: The following analytic identifies when an O365 email account hard d data_source: - Office 365 Universal Audit Log search: |- -`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) -| bin _time span=1hr -| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user -| where count > 50 OR file_size > 10 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_hard_delete_excessive_volume_filter` + `o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user + | where count > 50 OR file_size > 10 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_hard_delete_excessive_volume_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: From 663caa6ca238a9c2df687557a6b83abdce47935a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:25:22 -0500 Subject: [PATCH 27/51] Update o365_email_new_inbox_rule_created.yml --- .../cloud/o365_email_new_inbox_rule_created.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index a1db177481..8a4bda9048 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -9,12 +9,12 @@ description: The following analytic identifies the creation of new email inbox r data_source: - Office 365 Universal Audit Log search: |- -`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) -| eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' -| stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_new_inbox_rule_created_filter` + `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) + | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' + | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_new_inbox_rule_created_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. references: From c94fe18c3717367057eba73dd98279c0c34b03b8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:26:15 -0500 Subject: [PATCH 28/51] Update o365_email_password_and_payroll_compromise_behavior.yml --- ...ssword_and_payroll_compromise_behavior.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index 25886a3b57..e563149379 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -9,12 +9,13 @@ description: The following analytic identifies when an O365 email recipient rece data_source: - Office 365 Universal Audit Log - Office 365 Reporting Message Trace -search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") -| eval mailtime = _time -| bin _time span=4hr -| eval user = lower(RecipientAddress) -| eval InternetMessageId = lower(MessageId) -| join InternetMessageId, user max=0 +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 [ | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete") | spath path=AffectedItems{} output=AffectedItemSplit @@ -25,11 +26,11 @@ search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to | bin _time span=4hr | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) ] -| stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time -| search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_password_and_payroll_compromise_behavior_filter`' + | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time + | search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_password_and_payroll_compromise_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Unknown, unlikely. references: From 81179ad57410ba1cd168f8a7f0622ef4f672c2fb Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:26:47 -0500 Subject: [PATCH 29/51] Update o365_email_receive_and_hard_delete_takeover_behavior.yml --- ...eive_and_hard_delete_takeover_behavior.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index 58b6e8983b..4ac1959303 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -9,12 +9,13 @@ description: The following analytic identifies when an O365 email recipient rece data_source: - Office 365 Universal Audit Log - Office 365 Reporting Message Trace -search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") -| eval mailtime = _time -| bin _time span=4hr -| eval user = lower(RecipientAddress) -| eval InternetMessageId = lower(MessageId) -| join InternetMessageId, user max=0 +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 [ | search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions") | spath path=AffectedItems{} output=AffectedItemSplit @@ -25,10 +26,10 @@ search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to | bin _time span=4hr | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject ] -| stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(ClientProcessName) as process, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_receive_and_hard_delete_takeover_behavior_filter`' + | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(ClientProcessName) as process, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_receive_and_hard_delete_takeover_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Possible new user/account onboarding processes. references: From 0c80eff121192768a6605f9b56d7e59efdea2568 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:27:18 -0500 Subject: [PATCH 30/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- ..._and_hard_delete_exfiltration_behavior.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index c972c52ae8..0f0f0d7477 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -10,12 +10,12 @@ data_source: - Office 365 Universal Audit Log - Office 365 Reporting Message Trace search: |- -`o365_messagetrace` Status=Delivered -| eval mailtime = _time -| bin _time span=1hr -| eval user = lower(SenderAddress), recipient = lower(RecipientAddress) -| eval InternetMessageId = lower(MessageId) -| join InternetMessageId, user, max=0 + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, max=0 [ | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') @@ -25,12 +25,12 @@ search: |- | stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user | where opcount > 1 AND firstTime < lastTime ] -| stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization -| eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) -| where externalRecipient = 1 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_send_and_hard_delete_exfiltration_behavior_filter` + | stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization + | eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) + | where externalRecipient = 1 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_exfiltration_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: From cc6443da9ac3fd943fcc8b8f77c099a446c2d39a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:27:39 -0500 Subject: [PATCH 31/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- ...nd_and_hard_delete_suspicious_behavior.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index 6b12a11bcd..c02f06044e 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -9,16 +9,16 @@ description: The following analytic identifies when an O365 email account sends data_source: - Office 365 Universal Audit Log search: |- -`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) -| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) -| eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) -| eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) -| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user -| eval timediff = tonumber(lastTime) - tonumber(firstTime) -| where opcount > 1 AND firstTime < lastTime AND timediff < 3600 -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_send_and_hard_delete_suspicious_behavior_filter` + `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user + | eval timediff = tonumber(lastTime) - tonumber(firstTime) + | where opcount > 1 AND firstTime < lastTime AND timediff < 3600 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_suspicious_behavior_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. references: From 49342b4094390f8ddcfa2cd6cf7d6b9f9013987b Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:28:06 -0500 Subject: [PATCH 32/51] Update o365_email_send_attachments_excessive_volume.yml --- ...mail_send_attachments_excessive_volume.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 6d0a1a04ac..317dcaca3c 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -9,12 +9,12 @@ description: The following analytic identifies when an O365 email account sends data_source: - Office 365 Universal Audit Log search: |- -`o365_messagetrace` Status=Delivered -| eval mailtime = _time -| bin _time span=1hr -| eval user = lower(SenderAddress), recipient = lower(RecipientAddress) -| eval InternetMessageId = lower(MessageId) -| join InternetMessageId, user, _time max=0 + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, _time max=0 [ | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') @@ -25,13 +25,13 @@ search: |- | where count > 25 | eval file_name = mvjoin(file_name,"||") ] -| eval file_name = split(file_name,"||") -| stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId -| eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) -| search recipient = * -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_send_attachments_excessive_volume_filter` + | eval file_name = split(file_name,"||") + | stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId + | eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) + | search recipient = * + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_attachments_excessive_volume_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. known_false_positives: Users or processes that are send a larage number of attachments may trigger this alert, adjust thresholds accordingly. references: From cbb25155ab976fbefa10774c74679f66e9f075ae Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:31:31 -0500 Subject: [PATCH 33/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- .../o365_email_send_and_hard_delete_exfiltration_behavior.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index 0f0f0d7477..b5c7892357 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -60,8 +60,6 @@ rba: type: user score: 40 threat_objects: - - field: src - type: ip_address - field: subject type: signature tags: From 1899156ae8a587c0010567604aac5c8b2193a7a5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:33:15 -0500 Subject: [PATCH 34/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 317dcaca3c..9038100606 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -59,9 +59,7 @@ rba: score: 20 threat_objects: - field: recipient - type: user - - field: src - type: ip_address + type: email_address tags: analytic_story: - Office 365 Account Takeover From dd8c9d991a4a4f78bec44c8393361671a54dee1f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:34:18 -0500 Subject: [PATCH 35/51] Update o365_email_receive_and_hard_delete_takeover_behavior.yml --- .../o365_email_receive_and_hard_delete_takeover_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index 4ac1959303..cafbfdd2f0 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -57,7 +57,7 @@ rba: score: 80 threat_objects: - field: subject - type: signature + type: email_subject - field: src type: ip_address tags: From 62273d573fdbf78d60490cfbfefee0b38e3008aa Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:34:40 -0500 Subject: [PATCH 36/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- .../o365_email_send_and_hard_delete_exfiltration_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index b5c7892357..27f6cccdc7 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -61,7 +61,7 @@ rba: score: 40 threat_objects: - field: subject - type: signature + type: email_subject tags: analytic_story: - Office 365 Account Takeover From 1701666ecc407225840120a7185f060ab9c79730 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:35:07 -0500 Subject: [PATCH 37/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- .../o365_email_send_and_hard_delete_suspicious_behavior.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index c02f06044e..c17b1bc197 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -48,7 +48,7 @@ rba: - field: src type: ip_address - field: subject - type: signature + type: email_subject tags: analytic_story: - Office 365 Account Takeover From 1c92567b17eadf1a830cefed21afc872e1b4f2eb Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:51:39 -0500 Subject: [PATCH 38/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 9038100606..bd84173650 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -1,7 +1,6 @@ name: O365 Email Send Attachments Excessive Volume id: 70a050a2-8537-488a-a628-b60a9558d96a version: 1 -date: '2024-11-07' date: '2025-01-20' author: Steven Dick type: Anomaly From 67adb94485164b9192964f9325e04348be796a2d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:57:12 -0500 Subject: [PATCH 39/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index bd84173650..ef6ae4288a 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -4,7 +4,7 @@ version: 1 date: '2025-01-20' author: Steven Dick type: Anomaly -description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. data_source: - Office 365 Universal Audit Log search: |- From e05958d04b1a07ec01cecef65d6513e91f66b229 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 20:06:31 -0500 Subject: [PATCH 40/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index ef6ae4288a..b5c587f208 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -3,6 +3,7 @@ id: 70a050a2-8537-488a-a628-b60a9558d96a version: 1 date: '2025-01-20' author: Steven Dick +status: production type: Anomaly description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. data_source: @@ -32,7 +33,7 @@ search: |- | `security_content_ctime(lastTime)` | `o365_email_send_attachments_excessive_volume_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. -known_false_positives: Users or processes that are send a larage number of attachments may trigger this alert, adjust thresholds accordingly. +known_false_positives: Users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly. references: - https://attack.mitre.org/techniques/T1114/ - https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf From 600806e9d166fea0e04517eeb45953da2be3ade5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:24:22 -0500 Subject: [PATCH 41/51] Update o365_email_hard_delete_excessive_volume.yml --- detections/cloud/o365_email_hard_delete_excessive_volume.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 7076329f3d..8b1c6f407e 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -52,7 +52,6 @@ tags: - Data Destruction asset_type: O365 Tenant mitre_attack_id: - - T1070 - T1070.008 - T1485 product: From dd37507e616a197988fb9c8f35ea78e8a1d7e826 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:24:58 -0500 Subject: [PATCH 42/51] Update o365_email_new_inbox_rule_created.yml --- detections/cloud/o365_email_new_inbox_rule_created.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 8a4bda9048..2eb397121b 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -48,7 +48,6 @@ tags: - Office 365 Collection Techniques asset_type: O365 Tenant mitre_attack_id: - - T1114 - T1114.003 - T1564.008 product: From b4bfb8c3adb0e1ebac93c33bdba683327b691f56 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:25:25 -0500 Subject: [PATCH 43/51] Update o365_email_password_and_payroll_compromise_behavior.yml --- .../o365_email_password_and_payroll_compromise_behavior.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index e563149379..13bf178d72 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -67,10 +67,8 @@ tags: - Data Destruction asset_type: O365 Tenant mitre_attack_id: - - T1114 - T1070.008 - T1485 - - T1070 - T1114.001 product: - Splunk Enterprise From d205b2d69e6c9a64f8f5d712a9f95f5598b0b81b Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:25:51 -0500 Subject: [PATCH 44/51] Update o365_email_receive_and_hard_delete_takeover_behavior.yml --- .../o365_email_receive_and_hard_delete_takeover_behavior.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index cafbfdd2f0..ccff611088 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -68,10 +68,8 @@ tags: - Data Destruction asset_type: O365 Tenant mitre_attack_id: - - T1114 - T1070.008 - T1485 - - T1070 - T1114.001 product: - Splunk Enterprise From 7269bbeee1c3dfc0986a49077b0d081595453628 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:26:20 -0500 Subject: [PATCH 45/51] Update o365_email_send_and_hard_delete_exfiltration_behavior.yml --- .../o365_email_send_and_hard_delete_exfiltration_behavior.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index 27f6cccdc7..9de7506f91 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -70,9 +70,7 @@ tags: - Data Destruction asset_type: O365 Tenant mitre_attack_id: - - T1114 - T1114.001 - - T1070 - T1070.008 - T1485 product: From 3ca62759aa71da68fb01a18d2941cc60ce0b9a94 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:26:45 -0500 Subject: [PATCH 46/51] Update o365_email_send_and_hard_delete_suspicious_behavior.yml --- .../o365_email_send_and_hard_delete_suspicious_behavior.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index c17b1bc197..a2ff074eea 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -57,9 +57,7 @@ tags: - Data Destruction asset_type: O365 Tenant mitre_attack_id: - - T1114 - T1114.001 - - T1070 - T1070.008 - T1485 product: From c7f56ce3ef2080d1337c0c639d7841ac901d04ad Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:27:04 -0500 Subject: [PATCH 47/51] Update o365_email_send_attachments_excessive_volume.yml --- .../cloud/o365_email_send_attachments_excessive_volume.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index b5c587f208..9185d9468a 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -66,7 +66,6 @@ tags: - Suspicious Emails asset_type: O365 Tenant mitre_attack_id: - - T1070 - T1070.008 - T1485 product: From 101865e32b6464d6703735f78788828b19ac21c9 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 19:14:16 -0500 Subject: [PATCH 48/51] Update detections/cloud/o365_email_new_inbox_rule_created.yml Add IPv6 suggestion Co-authored-by: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com> --- detections/cloud/o365_email_new_inbox_rule_created.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 2eb397121b..07a601a58b 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -10,7 +10,8 @@ data_source: - Office 365 Universal Audit Log search: |- `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) - | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name' + | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name' + | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` From 03b79b651cca5478625cf93918dfc8c76a7c07e5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 28 Feb 2025 15:58:44 -0500 Subject: [PATCH 49/51] Add files via upload --- .../office_365_reporting_message_trace.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 data_sources/office_365_reporting_message_trace.yml diff --git a/data_sources/office_365_reporting_message_trace.yml b/data_sources/office_365_reporting_message_trace.yml new file mode 100644 index 0000000000..e10952a94a --- /dev/null +++ b/data_sources/office_365_reporting_message_trace.yml @@ -0,0 +1,16 @@ +name: Office 365 Reporting Message Trace +id: b637788e-fcf0-44fa-86ea-cab81193f939 +version: 1 +date: '2025-02-28' +author: Steven Dick +description: Data source object for Office 365 Reporting Message Trace +source: o365 +sourcetype: o365:reporting:messagetrace +separator: Organization +supported_TA: +- name: Splunk Microsoft Office 365 Add-on + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 +fields: +- _time +example_log: '{"Organization": "attackrange.onmicrosoft.com", "MessageId": "", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "attacker_outside@gmail.com", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}' \ No newline at end of file From d813729588881daa6bd40eb25a335b761b288b91 Mon Sep 17 00:00:00 2001 From: research-bot Date: Fri, 28 Feb 2025 14:29:32 -0800 Subject: [PATCH 50/51] updating test section as both dataset need to be indexed together --- .../o365_email_password_and_payroll_compromise_behavior.yml | 2 -- .../o365_email_receive_and_hard_delete_takeover_behavior.yml | 4 +--- .../o365_email_send_and_hard_delete_exfiltration_behavior.yml | 2 -- .../cloud/o365_email_send_attachments_excessive_volume.yml | 2 -- 4 files changed, 1 insertion(+), 9 deletions(-) diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index 13bf178d72..e5add0c19d 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -81,8 +81,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 sourcetype: o365:management:activity -- name: True Positive Test - attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index ccff611088..7390f3ef76 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -26,7 +26,7 @@ search: |- | bin _time span=4hr | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject ] - | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(ClientProcessName) as process, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject + | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_receive_and_hard_delete_takeover_behavior_filter` @@ -82,8 +82,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 sourcetype: o365:management:activity -- name: True Positive Test - attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index 9de7506f91..1680afe5af 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -84,8 +84,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 sourcetype: o365:management:activity -- name: True Positive Test - attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 9185d9468a..edcedcc498 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -79,8 +79,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log source: o365 sourcetype: o365:management:activity -- name: True Positive Test - attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log source: o365_messagetrace sourcetype: o365:reporting:messagetrace From 6c5b29639b85987c8f6ee5fdd3c2690f98300f51 Mon Sep 17 00:00:00 2001 From: research-bot Date: Fri, 28 Feb 2025 14:33:02 -0800 Subject: [PATCH 51/51] adding available fields for this data source --- .../office_365_reporting_message_trace.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/data_sources/office_365_reporting_message_trace.yml b/data_sources/office_365_reporting_message_trace.yml index e10952a94a..cc8c4aa082 100644 --- a/data_sources/office_365_reporting_message_trace.yml +++ b/data_sources/office_365_reporting_message_trace.yml @@ -12,5 +12,62 @@ supported_TA: url: https://splunkbase.splunk.com/app/4055 version: 4.8.0 fields: +- FromIP +- Index +- MessageId +- MessageTraceId +- Organization +- Received +- RecipientAddress +- SenderAddress +- Size +- Status +- Subject +- ToIP +- _bkt +- _cd +- _eventtype_color +- _indextime +- _raw +- _serial +- _si +- _sourcetype +- _subsecond - _time +- action +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- eventtype +- host +- index +- internal_message_id +- linecount +- message_id +- punct +- recipient +- recipient_count +- recipient_domain +- size +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_user +- src_user_domain +- status_code +- subject +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- vendor_product example_log: '{"Organization": "attackrange.onmicrosoft.com", "MessageId": "", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "attacker_outside@gmail.com", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}' \ No newline at end of file