Skip to content

Commit 775402f

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #3618 from 0xC0FFEEEE/bec_rule_threshold
O365 BEC Email Hiding Rule Created (again)
2 parents b62c21b + e9735eb commit 775402f

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

detections/cloud/o365_bec_email_hiding_rule_created.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: O365 BEC Email Hiding Rule Created
22
id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
3-
version: 3
4-
date: '2025-07-01'
3+
version: 4
4+
date: '2025-07-23'
55
author: '0xC0FFEEEE, Github Community'
66
type: TTP
77
status: production
@@ -18,6 +18,7 @@ search: |-
1818
| eval read_score=if(MarkAsRead="True", 1, 0)
1919
| eval folder_score=if(match(MoveToFolder, "^(RSS|Conversation History|Archive)"), 1, 0)
2020
| eval suspicious_score=entropy_score+len_score+read_score+folder_score
21+
| where suspicious_score>2
2122
| `o365_bec_email_hiding_rule_created_filter`
2223
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest
2324
Office 365 management activity events. You also need to have the Splunk TA URL
@@ -28,15 +29,15 @@ references:
2829
- https://attack.mitre.org/techniques/T1564/008/
2930
drilldown_searches:
3031
- name: View the detection results for - "$user$"
31-
search: '%original_detection_search% | search dest = "$user$"'
32+
search: '%original_detection_search% | search user = "$user$"'
3233
earliest_offset: $info_min_time$
3334
latest_offset: $info_max_time$
3435
- name: View risk events for the last 7 days for $user$
3536
search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3637
earliest_offset: $info_min_time$
3738
latest_offset: $info_max_time$
3839
rba:
39-
message: Potential BEC mailbox rule was created by $user$
40+
message: Potential BEC mailbox rule - $Name$ was created by user - $user$
4041
risk_objects:
4142
- field: user
4243
type: user

0 commit comments

Comments
 (0)