Microsoft 365 Exchange Safe Link Policy Disabled
Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend
11phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.
12"""
13false_positives = [
14 """
15 Disabling safe links may be done by a system or network administrator. Verify that the configuration change was
16 expected. Exceptions can be added to this rule to filter expected behavior.
17 """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange Safe Link Policy Disabled"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28 "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps",
29 "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide",
30]
31risk_score = 47
32rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: Microsoft 365",
37 "Use Case: Identity and Access Audit",
38 "Tactic: Initial Access",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1566"
52name = "Phishing"
53reference = "https://attack.mitre.org/techniques/T1566/"
54
55
56[rule.threat.tactic]
57id = "TA0001"
58name = "Initial Access"
59reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS IAM Password Recovery Requested
- AWS Management Console Root Login
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in