Microsoft 365 Exchange Malware Filter Rule Modification

calendar May 22, 2024 · Domain: Cloud Data Source: Microsoft 365 Use Case: Configuration Audit Tactic: Defense Evasion  ·
Share on: linkedin copy

Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may
11want to modify a malware filter rule to evade detection.
12"""
13false_positives = [
14    """
15    A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was
16    expected. Exceptions can be added to this rule to filter expected behavior.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange Malware Filter Rule Modification"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
29    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps",
30]
31risk_score = 47
32rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2"
33severity = "medium"
34tags = [
35    "Domain: Cloud",
36    "Data Source: Microsoft 365",
37    "Use Case: Configuration Audit",
38    "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • Remove-MalwareFilterRule (ExchangePowerShell)

    You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

  • Disable-MalwareFilterRule (ExchangePowerShell)

    You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

Related rules

to-top