detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard

Published 20 hours ago verified publisher icon elastic

[New Rule] Microsoft 365 - Site Collection Admin Added

Open austinsonger opened this issue 4 years ago • 6 comments

Description

Identifies when a site collection administrator has been added.

Required Info

Target indexes

filebeat-*, logs-o365*

Platforms

Microsoft 365

Optional Info

Query

event.dataset:o365.audit and event.provider:(SharePoint or OneDrive) and event.category:web and 
event.action:SiteCollectionAdminAdded event.outcome:success

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

ATTACK TACTIC Credential Access, Persistence

ATTACK TECHNIQUE Account Manipulation

References

austinsonger avatar Jul 18 '21 00:07 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Sep 16 '21 01:09 botelastic[bot]

I'm just leaving a comment for activity.

austinsonger avatar Sep 16 '21 01:09 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Nov 29 '21 04:11 botelastic[bot]

Just keeping it open.Just keeping it open.

austinsonger avatar Nov 30 '21 04:11 austinsonger

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Jan 29 '22 04:01 botelastic[bot]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] avatar Feb 05 '22 04:02 botelastic[bot]