diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index a74a09a64a1..ab55cbd1ee6 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." min_stack_version = "8.13.0" -updated_date = "2024/09/05" +updated_date = "2024/09/25" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -65,6 +65,10 @@ from logs-o365.audit-* "UserStrongAuthExpired", "CmsiInterrupt" ) + + // ignore unavailable + and o365.audit.UserId != "Not Available" + // filters out non user or application logins based on target and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10") diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml index 90a2a6af29f..2f593839be0 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2024/09/04" +updated_date = "2024/09/25" [rule] author = ["Elastic"] @@ -36,6 +36,8 @@ event.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") ''' diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml index 7f247112265..7edab168de5 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2024/09/04" +updated_date = "2024/09/25" [rule] author = ["Elastic"] @@ -34,6 +34,8 @@ event.dataset: "o365.audit" and event.provider: "AzureActiveDirectory" and event.action: "UserLoggedIn" and event.outcome: "success" + and not o365.audit.UserId: "Not Available" + and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10") '''