Microsoft 365 Exchange Malware Filter Policy Deletion
Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert
11administrators that an internal user sent a message that contained malware. This may indicate an account or machine
12compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.
13"""
14false_positives = [
15 """
16 A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change
17 was expected. Exceptions can be added to this rule to filter expected behavior.
18 """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Malware Filter Policy Deletion"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps",
30]
31risk_score = 47
32rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: Microsoft 365",
37 "Use Case: Configuration Audit",
38 "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More
Related rules
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Safe Attachment Rule Disabled
- Application Removed from Blocklist in Google Workspace
- Azure Alert Suppression Rule Created or Modified