detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule] Microsoft 365 - Sharing Policy Change

Open austinsonger opened this issue 4 years ago • 6 comments

Description

Identifies when a change was made to your organization's sharing policy.

Required Info

Target indexes

filebeat-*, logs-o365*

Platforms

Microsoft 365

Optional Info

Query

event.dataset:o365.audit and event.provider:(SharePoint or OneDrive) and event.category:web and 
event.action:SharingPolicyChanged and event.outcome:success

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

ATTACK TACTIC Credential Access, Persistence ATTACK TECHNIQUE Account Manipulation

References

austinsonger avatar Jul 18 '21 00:07 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Sep 16 '21 01:09 botelastic[bot]

I'm just leaving a comment for activity.

austinsonger avatar Sep 16 '21 01:09 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Nov 29 '21 04:11 botelastic[bot]

Just keeping it open.

austinsonger avatar Nov 30 '21 04:11 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jan 29 '22 04:01 botelastic[bot]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] avatar Feb 05 '22 04:02 botelastic[bot]