From 571ba796fb5434fde4dc9e29743b60a0713a0a45 Mon Sep 17 00:00:00 2001 From: pex7hfbnt <1584881064@qq.com> Date: Wed, 16 Oct 2024 23:35:57 +0800 Subject: [PATCH] ADD file via upload --- source/O365_detection_rules.json | 99 ++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 source/O365_detection_rules.json diff --git a/source/O365_detection_rules.json b/source/O365_detection_rules.json new file mode 100644 index 0000000..e325c3a --- /dev/null +++ b/source/O365_detection_rules.json @@ -0,0 +1,99 @@ +[ + { + "name": "Suspicious User Agent", + "severity": "High", + "query": "SELECT * FROM events WHERE UserAgent LIKE '%python%' OR UserAgent LIKE '%ruler%' OR UserAgent LIKE '%curl%' OR UserAgent LIKE '%Wget%' OR UserAgent LIKE '%python-requests%' OR UserAgent LIKE '%AADInternals%' OR UserAgent LIKE '%azurehound%' OR UserAgent LIKE '%axios%' OR UserAgent LIKE '%BAV2ROPC%' " + }, + { + "name": "User adding or removing Inbox Rule", + "severity": "Medium", + "query": "SELECT * FROM events WHERE Operation LIKE '%InboxRule%' OR Operation LIKE 'Set-Mailbox' OR Operation LIKE '%DeliverToMailboxAndForward%' OR Operation LIKE '%ForwardingAddress%' OR Operation LIKE '%ForwardingAddress%' " + }, + { + "name": "After Hours Activity", + "severity": "Medium", + "query": "SELECT * FROM events WHERE (CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END >= 20 OR CASE WHEN CAST(substr(CreationTime, 12, 2) AS INTEGER) < 0 THEN 24 + (CAST(substr(CreationTime, 12, 2) AS INTEGER)) ELSE CAST(substr(CreationTime, 12, 2) AS INTEGER) END < 6) AND NOT (Operation LIKE 'File%' OR Operation LIKE 'List%' OR Operation LIKE 'Page%' OR Operation LIKE '%UserLogin%');" + }, + { + "name": "Possible file exfiltration", + "severity": "Low", + "query": "SELECT * FROM events WHERE Operation LIKE '%FileUploaded%' " + }, + { + "name": "Admin searching in emails of other users", + "severity": "Low", + "query": "SELECT * FROM events WHERE Operation LIKE '%SearchStarted%' OR Operation LIKE '%SearchExportDownloaded%' OR Operation LIKE '%ViewedSearchExported%' " + }, + { + "name": "Strong Authentication Disabled", + "severity": "medium", + "query": "SELECT * FROM events WHERE Operation LIKE '%disable strong authentication%'" + }, + { + "name": "User added to admin group", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%add member to group%' AND ModifiedProperties Like '%admin%') OR ( Operation LIKE '%AddedToGroup%' AND TargetUserOrGroupName Like '%admin%') " + }, + { + "name": "New Policy created", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%add policy%' ) " + }, + { + "name": "Security Alert triggered", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%AlertTriggered%' AND NOT Severity Like '%Low%') " + }, + { + "name": "Transport rules ( mail flow rules ) modified", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%TransportRule%') " + }, + { + "name": "An application was registered in Azure AD", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add service principal.%') " + }, + { + "name": "Add app role assignment grant to user", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Add app role assignment grant to user.%') " + }, + { + "name": "eDiscovery Abuse", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%New-ComplianceSearch%') " + }, + { + "name": "Operations affecting OAuth Applications", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation = 'Add application.' OR Operation = 'Update application' OR Operation = 'Add service principal.' OR Operation = 'Update application Certificates and secrets management' OR Operation = 'Update applicationUpdate service principal.' OR Operation = 'Add app role assignment grant to user.' OR Operation = 'Add delegated permission grant.' OR Operation = 'Add owner to application.' OR Operation = 'Add owner to service principal.') " + }, + { + "name": "Suspicious Operations affecting Mailbox ", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation = 'Set-MailboxJunkEmailConfiguration' OR Operation = 'SoftDelete' OR Operation = 'SendAs' OR Operation = 'HardDelete' OR Operation = 'MoveToDeletedItems' ) " + }, + { + "name": "Suspicious Operations affecting SharePoint ", + "severity": "Medium", + "query": "SELECT * FROM events WHERE ( Operation = 'AddedToSecureLink' OR Operation = 'SearchQueryPerformed' OR Operation = 'SecureLinkCreated' OR Operation = 'SecureLinkUpdated' OR Operation = 'SharingInvitationCreated' ) " + }, + { + "name": "User Modifying RetentionPolicy ", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%UnifiedAuditLogRetentionPolicy%' ) " + }, + { + "name": "User Modifying Audit Logging ", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%AdminAuditLogConfig%' ) " + }, + { + "name": "String Authentication Disabled ", + "severity": "High", + "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) " + } + + +] \ No newline at end of file