From 46bc87e8189b65ca0a476c6d5b48ed180cb101aa Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:24:16 -0500 Subject: [PATCH 1/8] Add files via upload --- .../o365_email_transport_rule_changed.yml | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 detections/cloud/o365_email_transport_rule_changed.yml diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml new file mode 100644 index 0000000000..04398ee6a8 --- /dev/null +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -0,0 +1,78 @@ +name: O365 Email Transport Rule Changed +id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2 +version: 1 +date: '2025-01-15' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. +data_source: +- O365 +search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" +| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId) +| eval object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) +| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation +| rename UserId as user, Operation as signature +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `o365_email_transport_rule_changed_filter`' +how_to_implement: +known_false_positives: Legitimate administrative changes for business needs. +references: +- https://attack.mitre.org/techniques/T1114/003/ +- https://cardinalops.com/blog/cardinalops-contributes-new-mitre-attck-techniques-related-to-abuse-of-mail-transport-rules/ +- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate changes by $user$ + search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: Cloud + confidence: 50 + impact: 50 + message: The user [$user$] altered the exchange transport rule id $object_id$ [$object_name$] + mitre_attack_id: + - T1114.003 + - T1564.008 + observable: + - name: user + type: user + role: + - Victim + - name: object_id + type: Other + role: + - Attacker + - name: object_name + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Workload + - Operation + - UserId + - Parameters{}.Name + risk_score: 25 + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log + source: o365 + sourcetype: o365:management:activity \ No newline at end of file From 61dcaf1d290065ab1e556d482a3488a1448f60a9 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:36:39 -0500 Subject: [PATCH 2/8] Update o365_email_transport_rule_changed.yml probably single tick closeness to start problem in SPL --- detections/cloud/o365_email_transport_rule_changed.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 04398ee6a8..3a91b38470 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -8,9 +8,7 @@ type: Anomaly description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. data_source: - O365 -search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" -| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId) -| eval object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) +search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation | rename UserId as user, Operation as signature | `security_content_ctime(firstTime)` @@ -75,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log source: o365 - sourcetype: o365:management:activity \ No newline at end of file + sourcetype: o365:management:activity From c0de38c353023aeb89f81f1ef44f655f0b3bd07a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 15 Jan 2025 15:39:31 -0500 Subject: [PATCH 3/8] Update o365_email_transport_rule_changed.yml --- detections/cloud/o365_email_transport_rule_changed.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 3a91b38470..078d2c843c 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -8,7 +8,8 @@ type: Anomaly description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. data_source: - O365 -search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) +search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" +| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation | rename UserId as user, Operation as signature | `security_content_ctime(firstTime)` From 4bd74d8606989b51057c54ffd756b8bc21d73c2b Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 12:08:20 -0500 Subject: [PATCH 4/8] Update o365_email_transport_rule_changed.yml --- .../o365_email_transport_rule_changed.yml | 35 +++++++------------ 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 078d2c843c..b2b6ac29b1 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -34,40 +34,29 @@ drilldown_searches: search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The user [$user$] altered the exchange transport rule id $object_id$ [$object_name$] + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: object_id + type: signature + - field: object_name + type: signature tags: analytic_story: - Data Exfiltration - Office 365 Account Takeover - asset_type: Cloud - confidence: 50 - impact: 50 - message: The user [$user$] altered the exchange transport rule id $object_id$ [$object_name$] + asset_type: O365 Tenant mitre_attack_id: - T1114.003 - T1564.008 - observable: - - name: user - type: user - role: - - Victim - - name: object_id - type: Other - role: - - Attacker - - name: object_name - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Workload - - Operation - - UserId - - Parameters{}.Name - risk_score: 25 security_domain: threat tests: - name: True Positive Test From ffc64431b763d1aa797cd219e27c13de464bfcb4 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 14:58:01 -0500 Subject: [PATCH 5/8] Update o365_email_transport_rule_changed.yml --- detections/cloud/o365_email_transport_rule_changed.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index b2b6ac29b1..07dab5f435 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -9,7 +9,8 @@ description: The following analytic identifies when a user with sufficient acces data_source: - O365 search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" -| eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) +| rename Parameters{}.* as Parameters_* +| eval object_name = case(Parameters_Name=="Name",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Name$")),true(),ObjectId), object_id = case(Parameters_Name=="Identity",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Identity$")),true(),Id) | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation | rename UserId as user, Operation as signature | `security_content_ctime(firstTime)` From 977c6785ae53db832ff66b52ebddb65f5f802f97 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 15:01:55 -0500 Subject: [PATCH 6/8] Update o365_email_transport_rule_changed.yml --- detections/cloud/o365_email_transport_rule_changed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 07dab5f435..1735d8145a 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -16,7 +16,7 @@ search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*", | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_email_transport_rule_changed_filter`' -how_to_implement: +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Legitimate administrative changes for business needs. references: - https://attack.mitre.org/techniques/T1114/003/ From 02c5a241003cde9d9e1af14e1becb19667f26242 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 19:45:28 -0500 Subject: [PATCH 7/8] Update o365_email_transport_rule_changed.yml --- .../o365_email_transport_rule_changed.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 1735d8145a..12b3202209 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -7,15 +7,15 @@ status: production type: Anomaly description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. data_source: -- O365 -search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" -| rename Parameters{}.* as Parameters_* -| eval object_name = case(Parameters_Name=="Name",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Name$")),true(),ObjectId), object_id = case(Parameters_Name=="Identity",mvindex(Parameters_Value,mvfind(Parameters_Name,"^Identity$")),true(),Id) -| stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation -| rename UserId as user, Operation as signature -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `o365_email_transport_rule_changed_filter`' +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" + | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) + | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation + | rename UserId as user, Operation as signature + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_transport_rule_changed_filter` how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives: Legitimate administrative changes for business needs. references: From 25af0925e63921c64106f57e916cf0f148e386f4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 11 Feb 2025 08:41:18 -0800 Subject: [PATCH 8/8] rba message --- detections/cloud/o365_email_transport_rule_changed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 12b3202209..bd7a4f1ee2 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -36,7 +36,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: The user [$user$] altered the exchange transport rule id $object_id$ [$object_name$] + message: The user [$user$] altered the exchange transport rule id [$object_name$] risk_objects: - field: user type: user