Microsoft 365 User Restricted from Sending Email

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies
11per the Security Compliance Center.
12"""
13false_positives = ["A user sending emails using personal distribution folders may trigger the event."]
14from = "now-30m"
15index = ["filebeat-*", "logs-o365*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft 365 User Restricted from Sending Email"
19note = """## Setup
20
21The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
22"""
23references = [
24    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
25    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
26]
27risk_score = 47
28rule_id = "0136b315-b566-482f-866c-1d8e2477ba16"
29severity = "medium"
30tags = [
31    "Domain: Cloud",
32    "Data Source: Microsoft 365",
33    "Use Case: Configuration Audit",
34    "Tactic: Initial Access",
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1078"
48name = "Valid Accounts"
49reference = "https://attack.mitre.org/techniques/T1078/"
50
51
52[rule.threat.tactic]
53id = "TA0001"
54name = "Initial Access"
55reference = "https://attack.mitre.org/tactics/TA0001/"