[Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Micro…

…soft 365 Rules (#4105) * tuning M365 impossible travel activity rules * added additional filters for user type logins * adjusted updated date
elastic · Sep 28, 2024 · ef4e433 · ef4e433
1 parent 1d1b2eb
commit ef4e433
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/...s/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/...s/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
@@ -4,7 +4,7 @@ integration = ["o365"]
 maturity = "production"
 min_stack_comments = "ES|QL not available until 8.13.0 in technical preview."
 min_stack_version = "8.13.0"
-updated_date = "2024/09/05"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic", "Willem D'Haese", "Austin Songer"]
@@ -65,6 +65,10 @@ from logs-o365.audit-*
     "UserStrongAuthExpired",
     "CmsiInterrupt"
 )
+
+  // ignore unavailable
+  and o365.audit.UserId != "Not Available"
+
   // filters out non user or application logins based on target
   and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")
 

diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -36,6 +36,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''
 
 

diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -34,6 +34,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''