Microsoft 365 Exchange Transport Rule Modification

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport
13rules) are used to identify and take action on messages that flow through your organization. An adversary or insider
14threat may modify a transport rule to exfiltrate data or evade defenses.
15"""
16false_positives = [
17    """
18    A transport rule may be modified by a system or network administrator. Verify that the configuration change was
19    expected. Exceptions can be added to this rule to filter expected behavior.
20    """,
21]
22from = "now-30m"
23index = ["filebeat-*", "logs-o365*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Microsoft 365 Exchange Transport Rule Modification"
27note = """## Setup
28
29The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = [
31    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps",
32    "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps",
33    "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
34]
35risk_score = 47
36rule_id = "272a6484-2663-46db-a532-ef734bf9a796"
37severity = "medium"
38tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1537"
51name = "Transfer Data to Cloud Account"
52reference = "https://attack.mitre.org/techniques/T1537/"
53
54
55[rule.threat.tactic]
56id = "TA0010"
57name = "Exfiltration"
58reference = "https://attack.mitre.org/tactics/TA0010/"

References

• Remove-TransportRule (ExchangePowerShell)

  

  On Mailbox servers, this cmdlet removes the rule from Active Directory. On an Edge Transport server, the cmdlet removes the rule from the local Active Directory Lightweight Directory Services (AD LDS) instance. To temporarily disable a transport rule without removing it, use the Disable-TransportRule cmdlet instead. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

  
  Read More

• Disable-TransportRule (ExchangePowerShell)

  

  To enable rules that are disabled, use the Enable-TransportRule cmdlet. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

  
  Read More

• Mail flow rules (transport rules) in Exchange Online

  

  Learn about mail flow rules in Exchange Online.

  
  Read More

Related rules

• Microsoft 365 Exchange Transport Rule Creation
• Microsoft 365 Mass download by a single user
• Microsoft 365 Exchange Anti-Phish Policy Deletion
• Microsoft 365 Exchange Anti-Phish Rule Modification
• Microsoft 365 Exchange DLP Policy Removed