Update o365_multiple_os_vendors_authenticating_from_user.yml

nterl0k · web-flow · commit fab070785ce4 · 2025-02-02T12:43:45.000-05:00
update to new yaml spec / update search yaml for better readability / remove single quote in SPL issues
diff --git a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml
@@ -7,16 +7,17 @@ status: production
 type: TTP
 description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection.
 data_source: 
-- O365
-search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)
-| eval -time = _time
-| bin _time span=15m
-| stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by  ClientIP, UserId, _time
-| where os_count >= 4
-| eval src = ClientIP, user = UserId
-| `security_content_ctime(firstTime)` 
-| `security_content_ctime(lastTime)`
-| `o365_multiple_os_vendors_authenticating_from_user_filter`'
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)
+  | eval -time = _time
+  | bin _time span=15m
+  | stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by  ClientIP, UserId, _time
+  | where os_count >= 4
+  | eval src = ClientIP, user = UserId
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_multiple_os_vendors_authenticating_from_user_filter`
 how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
 known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly. 
 references:
@@ -37,35 +38,25 @@ drilldown_searches:
   search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 60
+  threat_objects:
+  - field: src
+    type: ip_address
 tags:
   analytic_story: 
   - Office 365 Account Takeover
   asset_type: O365 Tenant
-  confidence: 75
-  impact: 80
-  message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$.
   mitre_attack_id: 
   - T1110
-  observable: 
-  - name: src
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Victim
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields: 
-  - _time
-  - Operation
-  - ClientIP
-  - UserId
-  - OS
-  risk_score: 60
   security_domain: threat
 tests:
 - name: True Positive Test
