IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [7.11] Detections and Alerts Prebuilt rule reference
« Microsoft 365 Exchange Management Group Role Assignment Microsoft 365 Exchange Safe Link Policy Disabled »

Microsoft 365 Exchange Safe Attachment Rule Disablededit

Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-o365*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Microsoft 365
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

Investigation guideedit

The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:o365.audit and event.provider:Exchange and
event.category:web and event.action:"Disable-SafeAttachmentRule" and
event.outcome:success

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (7.11.2 release)
  • Formatting only
« Microsoft 365 Exchange Management Group Role Assignment Microsoft 365 Exchange Safe Link Policy Disabled »