Microsoft 365 Exchange Malware Filter Rule Modification

Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may
11want to modify a malware filter rule to evade detection.
12"""
13false_positives = [
14    """
15    A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was
16    expected. Exceptions can be added to this rule to filter expected behavior.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange Malware Filter Rule Modification"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps",
29    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps",
30]
31risk_score = 47
32rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2"
33severity = "medium"
34tags = [
35    "Domain: Cloud",
36    "Data Source: Microsoft 365",
37    "Use Case: Configuration Audit",
38    "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top