Microsoft 365 Exchange Malware Filter Rule Modification
Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may
13want to modify a malware filter rule to evade detection.
14"""
15false_positives = [
16 """
17 A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was
18 expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Exchange Malware Filter Rule Modification"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
31 "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps",
32]
33risk_score = 47
34rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1562"
49name = "Impair Defenses"
50reference = "https://attack.mitre.org/techniques/T1562/"
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange DLP Policy Removed
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Safe Attachment Rule Disabled
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification