Microsoft 365 Exchange Malware Filter Rule Modification

calendar Apr 2, 2024 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Defense Evasion  ·
Share on: linkedin copy

Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may
13want to modify a malware filter rule to evade detection.
14"""
15false_positives = [
16    """
17    A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was
18    expected. Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Exchange Malware Filter Rule Modification"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
31    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps",
32]
33risk_score = 47
34rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1562"
49name = "Impair Defenses"
50reference = "https://attack.mitre.org/techniques/T1562/"
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • Remove-MalwareFilterRule (ExchangePowerShell)

    You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

  • Disable-MalwareFilterRule (ExchangePowerShell)

    You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

Related rules

to-top