Microsoft 365 User Restricted from Sending Email

Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/15"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies
13per the Security Compliance Center.
14"""
15false_positives = ["A user sending emails using personal distribution folders may trigger the event."]
16from = "now-30m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Microsoft 365 User Restricted from Sending Email"
21note = """## Setup
22
23The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
24"""
25references = [
26    "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy",
27    "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference",
28]
29risk_score = 47
30rule_id = "0136b315-b566-482f-866c-1d8e2477ba16"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1078"
45name = "Valid Accounts"
46reference = "https://attack.mitre.org/techniques/T1078/"
47
48
49[rule.threat.tactic]
50id = "TA0001"
51name = "Initial Access"
52reference = "https://attack.mitre.org/tactics/TA0001/"

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top