[Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Micro…

…soft 365 Rules (#4105) * tuning M365 impossible travel activity rules * added additional filters for user type logins * adjusted updated date Removed changes from: - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml (selectively cherry picked from commit ef4e433)
elastic · Sep 28, 2024 · 9dbcf16 · 9dbcf16
1 parent 96c8366
commit 9dbcf16
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -36,6 +36,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''
 
 

diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -34,6 +34,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''