Microsoft 365 Exchange Transport Rule Modification

Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
11rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
12threat may modify a transport rule to exfiltrate data or evade defenses.
13"""
14false_positives = [
15    """
16    A transport rule may be modified by a system or network administrator. Verify that the configuration change was
17    expected. Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Microsoft 365 Exchange Transport Rule Modification"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
30    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
31    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
32]
33risk_score = 47
34rule_id = "272a6484-2663-46db-a532-ef734bf9a796"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1537"
49name = "Transfer Data to Cloud Account"
50reference = "https://attack.mitre.org/techniques/T1537/"
51
52
53[rule.threat.tactic]
54id = "TA0010"
55name = "Exfiltration"
56reference = "https://attack.mitre.org/tactics/TA0010/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top