Suspicious Microsoft 365 Mail Access by ClientAppId

 1[metadata]
 2creation_date = "2023/07/18"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last
1310 days.
14"""
15false_positives = ["User using a new mail client."]
16from = "now-30m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Suspicious Microsoft 365 Mail Access by ClientAppId"
21note = """## Setup
22
23The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
24"""
25references = ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"]
26risk_score = 47
27rule_id = "48819484-9826-4083-9eba-1da74cd0eaf2"
28severity = "medium"
29tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
30timestamp_override = "event.ingested"
31type = "new_terms"
32
33query = '''
34event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1078"
42name = "Valid Accounts"
43reference = "https://attack.mitre.org/techniques/T1078/"
44
45
46[rule.threat.tactic]
47id = "TA0001"
48name = "Initial Access"
49reference = "https://attack.mitre.org/tactics/TA0001/"
50
51
52[rule.new_terms]
53field = "new_terms_fields"
54value = ["o365.audit.ClientAppId", "user.id"]
55[[rule.new_terms.history_window_start]]
56field = "history_window_start"
57value = "now-10d"```