Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Microsoft 365 Impossible travel activity #4103

Open
willemri opened this issue Sep 25, 2024 · 0 comments
Open

[Rule Tuning] Microsoft 365 Impossible travel activity #4103

willemri opened this issue Sep 25, 2024 · 0 comments
Assignees
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@willemri
Copy link

willemri commented Sep 25, 2024

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

the field: "o365.audit.UserId" contains "Not Available" which triggers alot of FP in our environment

Example Data

{
"_index": ".ds-logs-o365.audit-default-2024.09.13-000024",
"_id": "aosTfZGWFGbCpp7eqLYCXXpTM10=",
"_score": 1,
"_source": {
"agent": {
"name": "ingest",
"id": "122e2782-81d0-447d-bfef-34dc2c293c6e",
"type": "filebeat",
"ephemeral_id": "71ba93f0-e1ca-44b7-8f78-ff120cce8729",
"version": "8.14.3"
},
"elastic_agent": {
"id": "122e2782-81d0-447d-bfef-34dc2c293c6e",
"version": "8.14.3",
"snapshot": false
},
"source": {
"geo": {
"region_iso_code": "BE-VOV",
"continent_name": "Europe",
"city_name": "Ghent",
"country_iso_code": "BE",
"country_name": "Belgium",
"region_name": "East Flanders Province",
"location": {
"lon": 3.7206,
"lat": 51.047
}
},
"as": {
"number": 6848,
"organization": {
"name": "Telenet BV"
}
},
"ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
},
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"network": {
"type": "ipv6"
},
"o365": {
"audit": {
"AzureActiveDirectoryEventType": "1",
"UserKey": "3e399962-2dcb-4f8a-b859-65d7d5933496",
"ActorIpAddress": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4",
"ExtendedProperties": {
"ResultStatusDetail": "Success",
"RequestType": "SAS:EndAuth"
},
"IntraSystemId": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00",
"Target": [
{
"Type": "0",
"ID": "00000002-0000-0ff1-ce00-000000000000"
}
],
"RecordType": "15",
"Version": "1",
"SupportTicketId": "",
"Actor": [
{
"Type": "0",
"ID": "3e399962-2dcb-4f8a-b859-65d7d5933496"
}
],
"DeviceProperties": [
{
"Value": "Ios",
"Name": "OS"
},
{
"Value": "Safari",
"Name": "BrowserType"
}
],
"ActorContextId": "99999999-9999-9999-9999-9999999999",
"ResultStatus": "Success",
"ObjectId": "00000002-0000-0ff1-ce00-000000000000",
"ErrorNumber": "0",
"UserId": "Not Available",
"TargetContextId": "99999999-9999-9999-9999-9999999999",
"CreationTime": "2024-09-25T09:08:06",
"InterSystemsId": "e270bb9a-86ac-971a-586d-9a35f66c0979",
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"UserType": "4"
}
},
"input": {
"type": "cel"
},
"@timestamp": "2024-09-25T09:08:06.000Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "o365.audit"
},
"organization": {
"id": "99999999-9999-9999-9999-9999999999"
},
"host": {
"id": "99999999-9999-9999-9999-9999999999"
},
"client": {
"address": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4",
"ip": "2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
},
"event": {
"agent_id_status": "verified",
"ingested": "2024-09-25T09:15:46Z",
"original": "{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}",
"code": "AzureActiveDirectoryStsLogon",
"provider": "AzureActiveDirectory",
"kind": "event",
"action": "UserLoggedIn",
"id": "b3d78cbd-9c69-4a1e-ad80-84302e3d6e00",
"type": [
"info",
"start",
"access"
],
"category": [
"web",
"authentication"
],
"dataset": "o365.audit",
"outcome": "success"
},
"user": {
"id": "Not Available"
},
"user_agent": {
"original": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1",
"os": {
"name": "iOS",
"version": "16.7.8",
"full": "iOS 16.7.8"
},
"name": "Mobile Safari",
"device": {
"name": "iPhone"
},
"version": "16.6"
}
},
"fields": {
"o365.audit.SupportTicketId": [
""
],
"elastic_agent.version": [
"8.14.3"
],
"event.category": [
"web",
"authentication"
],
"o365.audit.UserId": [
"Not Available"
],
"o365.audit.ApplicationId": [
"00000002-0000-0ff1-ce00-000000000000"
],
"user_agent.original.text": [
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
],
"o365.audit.DeviceProperties.Name": [
"OS",
"BrowserType"
],
"user_agent.os.version": [
"16.7.8"
],
"client.address": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"o365.audit.TargetContextId": [
"99999999-9999-9999-9999-9999999999"
],
"agent.name.text": [
"ingest"
],
"source.geo.region_name": [
"East Flanders Province"
],
"source.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"agent.name": [
"ingest"
],
"user_agent.version": [
"16.6"
],
"event.agent_id_status": [
"verified"
],
"source.geo.region_iso_code": [
"BE-VOV"
],
"event.kind": [
"event"
],
"o365.audit.Actor.Type": [
"0"
],
"event.outcome": [
"success"
],
"source.geo.city_name": [
"Ghent"
],
"user_agent.original": [
"Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1"
],
"event.original": [
"{AzureActiveDirectoryEventType=1, UserKey=3e399962-2dcb-4f8a-b859-65d7d5933496, ActorIpAddress=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Operation=UserLoggedIn, OrganizationId=99999999-9999-9999-9999-9999999999, ExtendedProperties=[{Value=Success, Name=ResultStatusDetail}, {Value=Mozilla/5.0 (iPhone; CPU iPhone OS 16_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1, Name=UserAgent}, {Value=SAS:EndAuth, Name=RequestType}], IntraSystemId=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, Target=[{Type=0, ID=00000002-0000-0ff1-ce00-000000000000}], RecordType=15, Version=1, SupportTicketId=, Actor=[{Type=0, ID=3e399962-2dcb-4f8a-b859-65d7d5933496}], DeviceProperties=[{Value=Ios, Name=OS}, {Value=Safari, Name=BrowserType}], ActorContextId=99999999-9999-9999-9999-9999999999, ResultStatus=Success, ObjectId=00000002-0000-0ff1-ce00-000000000000, ErrorNumber=0, ClientIP=2a01:1812:1435:3a00:7878:bc52:41f2:56f4, Workload=AzureActiveDirectory, UserId=Not Available, TargetContextId=99999999-9999-9999-9999-9999999999, CreationTime=2024-09-25T09:08:06, InterSystemsId=e270bb9a-86ac-971a-586d-9a35f66c0979, Id=b3d78cbd-9c69-4a1e-ad80-84302e3d6e00, ApplicationId=00000002-0000-0ff1-ce00-000000000000, UserType=4}"
],
"user.id": [
"Not Available"
],
"o365.audit.ExtendedProperties.ResultStatusDetail": [
"Success"
],
"input.type": [
"cel"
],
"client.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"user_agent.name": [
"Mobile Safari"
],
"data_stream.type": [
"logs"
],
"o365.audit.ObjectId": [
"00000002-0000-0ff1-ce00-000000000000"
],
"tags": [
"preserve_original_event",
"forwarded",
"o365-cel"
],
"event.provider": [
"AzureActiveDirectory"
],
"event.code": [
"AzureActiveDirectoryStsLogon"
],
"agent.id": [
"122e2782-81d0-447d-bfef-34dc2c293c6e"
],
"o365.audit.AzureActiveDirectoryEventType": [
"1"
],
"ecs.version": [
"8.11.0"
],
"o365.audit.RecordType": [
"15"
],
"organization.id": [
"99999999-9999-9999-9999-9999999999"
],
"agent.version": [
"8.14.3"
],
"o365.audit.ActorContextId": [
"99999999-9999-9999-9999-9999999999"
],
"source.as.number": [
6848
],
"o365.audit.ErrorNumber": [
"0"
],
"o365.audit.CreationTime": [
"2024-09-25T09:08:06"
],
"user_agent.os.full": [
"iOS 16.7.8"
],
"source.geo.location": [
{
"coordinates": [
3.7206,
51.047
],
"type": "Point"
}
],
"o365.audit.UserKey": [
"3e399962-2dcb-4f8a-b859-65d7d5933496"
],
"user_agent.os.name.text": [
"iOS"
],
"o365.audit.Version": [
"1"
],
"user_agent.os.name": [
"iOS"
],
"agent.type": [
"filebeat"
],
"event.module": [
"o365"
],
"related.ip": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"source.geo.country_iso_code": [
"BE"
],
"elastic_agent.snapshot": [
false
],
"o365.audit.InterSystemsId": [
"e270bb9a-86ac-971a-586d-9a35f66c0979"
],
"host.id": [
"99999999-9999-9999-9999-9999999999"
],
"network.type": [
"ipv6"
],
"source.as.organization.name.text": [
"Telenet BV"
],
"o365.audit.Target.Type": [
"0"
],
"elastic_agent.id": [
"122e2782-81d0-447d-bfef-34dc2c293c6e"
],
"data_stream.namespace": [
"default"
],
"o365.audit.IntraSystemId": [
"b3d78cbd-9c69-4a1e-ad80-84302e3d6e00"
],
"o365.audit.ActorIpAddress": [
"2a01:1812:1435:3a00:7878:bc52:41f2:56f4"
],
"source.as.organization.name": [
"Telenet BV"
],
"source.geo.continent_name": [
"Europe"
],
"o365.audit.ExtendedProperties.RequestType": [
"SAS:EndAuth"
],
"o365.audit.Target.ID": [
"00000002-0000-0ff1-ce00-000000000000"
],
"o365.audit.UserType": [
"4"
],
"user_agent.device.name.text": [
"iPhone"
],
"user_agent.os.full.text": [
"iOS 16.7.8"
],
"event.action": [
"UserLoggedIn"
],
"event.ingested": [
"2024-09-25T09:15:46Z"
],
"o365.audit.ResultStatus": [
"Success"
],
"@timestamp": [
"2024-09-25T09:08:06.000Z"
],
"user_agent.name.text": [
"Mobile Safari"
],
"data_stream.dataset": [
"o365.audit"
],
"event.type": [
"info",
"start",
"access"
],
"agent.ephemeral_id": [
"71ba93f0-e1ca-44b7-8f78-ff120cce8729"
],
"o365.audit.DeviceProperties.Value": [
"Ios",
"Safari"
],
"event.id": [
"b3d78cbd-9c69-4a1e-ad80-84302e3d6e00"
],
"source.geo.country_name": [
"Belgium"
],
"user_agent.device.name": [
"iPhone"
],
"event.dataset": [
"o365.audit"
],
"o365.audit.Actor.ID": [
"3e399962-2dcb-4f8a-b859-65d7d5933496"
]
}
}

@willemri willemri added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Sep 25, 2024
@w0rk3r w0rk3r changed the title [email protected] [Rule Tuning] Microsoft 365 Impossible travel activity Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Development

No branches or pull requests

2 participants