OFFICE 365 — MITRE Enriched Events Using Wazuh Detection Rules
Intro
Wazuh includes an integration to ingest Office 365 events and alerts using Python.
Full instructions on how to enable this integration can be found in this blog entry on Wazuh’s website.
Mitre offers the “Office 365 Matrix” as part of their cloud matrices (more info here):
Enriching Office 365 Events using Wazuh Detection Rules
Our GitHub repo includes XML file with detection rules mapping Office 365 workloads, operations and LogonError codes (operation = UserLoginFailed) to TTPs as detailed in Mitre Matrix.
Visualizations and Events in SOCFortress Platform
Once events have been ingested and enriched, our MITRE dashboard for Office 365 events will display summarizations and event details grouped by MITRE TTPs:
Office 365 Operation and TTPs
O365 Operation: UserLoggedIn — T1078
O365 Operation: Update group. — T1484
O365 Operation: Update user. — T1484
O365 Operation: Delete group. — T1484
O365 Operation: Add user. — T1136
O365 Operation: Add member to group. — T1098
O365 Operation: Add registered owner to device. — T1098
O365 Operation: Add registered users to device. — T1098
O365 Operation: Change user password. — T1098
O365 Operation: ReportingAccessed — T1083
O365 Operation: FileVisited — T1083
O365 Operation: TeamsSessionStarted — T1137
O365 Operation: Update device. — T1098
O365 Operation: MemberRemoved — T1098
O365 Operation: TeamSettingChanged — T1484
O365 Operation: ViewReport — T1083
O365 Operation: ThreadViewed — T1083
O365 Operation: LaunchPowerApp — T1137
O365 Operation: ListForms — T1083
O365 Operation: FileDownloaded — T1105
O365 Operation: FileCreated — T1204
O365 Operation: Add device. — T1098
O365 Operation: EditForm — T1565
O365 Operation: ViewForm — T1083
O365 Operation: MemberAdded — T1069
O365 Operation: ExportForm — T1567
O365 Operation: MessageCreation — T1114
O365 Operation: MessageUpdated — T1114
O365 Operation: UserSubmissionTriage — T1566
O365 Operation: MessageCreatedHasLink — T1189
O365 Operation: CreateResponse — T1114
O365 Operation: MeetingDetail — T1137
O365 Operation: PreviewForm — T1567
O365 Operation: ViewRuntimeForm — T1567
O365 Operation: MeetingParticipantDetail — T1137
O365 Operation: MessageUpdatedNotification — T1137
O365 Operation: SubscribedToMessages — T1137
O365 Operation: RunEmailSubscription — T1137
O365 Operation: AnalyzedByExternalApplication — T1526
O365 Operation: AppInstalled — T1518
O365 Operation: AuthorizeCustomTag — T1078
O365 Operation: Change user license. — T1098
O365 Operation: ConnectFromExternalApplication — T1518
O365 Operation: CreateDataset — T1213
O365 Operation: CreateGatewayClusterDatasource — T1518
O365 Operation: CreateReport — T1213
O365 Operation: CustomFieldOrLookupTableModified — T1518
O365 Operation: DeleteDataset — T1564
O365 Operation: DeleteReport — T1564
O365 Operation: DlpRuleMatch — T1213
O365 Operation: DLPRuleUndo — T1213
O365 Operation: DownloadReport — T1213
O365 Operation: EditDataset — T1213
O365 Operation: EditFlow — T1213
O365 Operation: EditForm — T1213
O365 Operation: ExportArtifact — T1213
O365 Operation: ExportReport — T1213
O365 Operation: GenerateDataflowSasToken — T1528
O365 Operation: GenerateScreenshot — T1213
O365 Operation: GetAllGatewayClusterDatasources — T1526
O365 Operation: Get-ComplianceSearchAction — T1526
O365 Operation: Get-CSSimpleUrlConfiguration — T1526
O365 Operation: Get-CsTeamsUpgradeOverridePolicy — T1526
O365 Operation: GetGatewayClusterDatasourceStatus — T1526
O365 Operation: GetGatewayClusters — T1526
O365 Operation: GetGatewayClusterStatus — T1526
O365 Operation: GetGatewayClusterSupportedDatasources — T1526
O365 Operation: GetGatewayRegions — T1526
O365 Operation: Get-QuarantineMessage — T1526
O365 Operation: Get-QuarantineMessageHeader — T1526
O365 Operation: GetSnapshots — T1526
O365 Operation: GetWorkspaces — T1526
O365 Operation: Import — T1213
O365 Operation: InsightGenerated — T1213
O365 Operation: MemberRoleChanged — T1098
O365 Operation: MessageDeleted — T1564
O365 Operation: MessageEditedHasLink — T1114
O365 Operation: MessageHostedContentRead — T1213
O365 Operation: ProjectAccessed — T1213
O365 Operation: ProjectCheckedIn — T1213
O365 Operation: ProjectCheckedOut — T1213
O365 Operation: ProjectPublished — T1213
O365 Operation: PublishPowerApp — T1213
O365 Operation: QuarantineViewMessageHeader — T1114
O365 Operation: RefreshDataset — T1213
O365 Operation: SearchDataInsightsSubscription — T1213
O365 Operation: SearchMtpRoleInfo — T1526
O365 Operation: SearchMtpStatus — T1526
O365 Operation: SetScheduledRefresh — T1526
O365 Operation: StreamEditUserSettings — T1078
O365 Operation: StreamInvokeChannelView — T1137
O365 Operation: StreamInvokeGetTranscript — T1213
O365 Operation: StreamInvokeVideoSetLink — T1213
O365 Operation: StreamInvokeVideoThumbnailUpload — T1213
O365 Operation: StreamInvokeVideoUpload — T1213
O365 Operation: StreamInvokeVideoView — T1137
O365 Operation: TabUpdated — T1213
O365 Operation: TeamCreated — T1078
O365 Operation: Update StsRefreshTokenValidFrom Timestamp. — T1528
O365 Operation: UpdateApp — T1137
O365 Operation: UpdatedUserMyAnalyticsSettings — T1078
O365 Operation: UpdateFormSetting — T1213
O365 Operation: UpdatePowerApp — T1213
O365 Operation: ViewDashboard — T1213
O365 Operation: ViewedSearchExported — T1213
O365 Operation: ViewResponse — T1213
O365 Operation: HeartBeat — T1538
O365 Operation: Delete user. — T1531
O365 Operation: DeleteDatasetRows — T1213
O365 Operation: Device no longer compliant. — T1552
O365 Operation: Disable account. — T1531
O365 Operation: UserSubmission — T1114
O365 Operation: AlertEntityGenerated — T1562
O365 Operation: AlertTriggered — T1562
O365 Operation: BindMonikersToDatasources — T1213
O365 Operation: Delete device. — T1531
O365 Operation: GenerateCustomVisualAADAccessToken — T1087
O365 Operation: GetSummaryLink — T1213
O365 Operation: OptInForPPUTrial — T1213
O365 Operation: OptInForProTrial — T1213
O365 Operation: Remove users strong authentication phone app detail. — T1552
O365 Operation: UserLoginFailed — T1078
LogonError Codes and TTPs
IdsLocked — T1606
UserStrongAuthClientAuthNRequiredInterrupt — T1606
DeviceAuthenticationFailed — T1528
PasswordResetRegistrationRequiredInterrupt — T1606
SsoArtifactExpiredDueToConditionalAccess — T1606
AuthenticationFailedSasError — T1087
UserStrongAuthClientAuthNRequired — T1552
InvalidGrantDeviceNotFound — T1528
MisconfiguredApplicationWithReasonsListed — T1526
SsoArtifactRevoked — T1606
SsoUserAccountNotFoundInResourceTenant — T1087
UserDisabled — T1606
FlowTokenExpired — T1528
UserStrongAuthEnrollmentRequiredInterrupt — T1552
MessagePromptInterrupt — T1552
InvalidReplyTo — T1539
MissingSigningKeyCertificateNotConfigured — T1539
NotAllowedTenantRestrictedTenant — T1087
DeviceAuthenticationRequired — T1606
PassThroughUserMfaError — T1087
UserStrongAuthEnrollmentRequired — T1621
BrokerAppNotInstalledDeviceAuthenticationFailed — T1606
DeviceIsDisabled — T1606
AdminConsentRequired — T1087
GuestUserInPendingState — T1087
InvalidResourceServicePrincipalNotFound — T1087
RequestExceededGatewayTimeout — T1087
TriggerBrowserCapabilitiesInterrupt — T1539
FreshTokenNeeded — T1528
UnauthorizedClientDoesNotMatchRequest — T1087
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Platform Demo: https://www.socfortress.co/demo_access.html
