Skip to content

[Rule Tuning] Suspicious Microsoft 365 UserLoggedIn via OAuth Code #4838

New issue
New issue
Closed
Bug
#4847
Closed
[Rule Tuning] Suspicious Microsoft 365 UserLoggedIn via OAuth Code#4838
Bug
#4847
Assignees
terrancedejesus
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@eriroley

Description

@eriroley
eriroley
opened on Jun 19, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

This rule specifically only looks at indexes that match "logs-o365.audit-default*"
So that this can be used when folks are saving logs to different namespaces, this should be changed to

query = ''' from logs-o365.audit-*

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions