# Sagan msapi-exchange-bluedot.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# These rules are for the Office 365 Management API
# https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview
#
# These rules work best with a JSON input map.  See the "msapi" mapping.  See the Sagan
# JSON documentation for more information
#
# For some reason,  Microsoft decided with the "ClientIP" to make the value inconsistent.  It might be
# 192.168.1.1 (which is great), or "[192.168.1.1]:1234" or "192.168.1.1:1231", etc.  This only allows 
# us to lookup certain types of Exchange events.   Might want to revisit this later. 

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] AddFolderPermissions from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "AddFolderPermissions"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004874; sid:5004874; rev: 1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] Copy from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "Copy"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004875; sid:5004875; rev: 1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] MailboxLogin from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "MailboxLogin"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-login; reference: url,wiki.quadrantsec.com/bin/view/Main/5004876; sid:5004876; rev: 1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] ModifyFolderPermissions from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "ModifyFolderPermissions"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004877; sid:5004877; rev: 1;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] MoveToDeletedItems from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "MoveToDeletedItems"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004878; sid:5004878; rev: 1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] RemoveFolderPermissions from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "RemoveFolderPermissions"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004879; sid:5004879; rev: 1;)

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] Send from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "Send"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004880; sid:5004880; rev: 1;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] SendAs from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "SendAs"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004881; sid:5004881; rev: 1;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] SendOnBehalf from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "SendOnBehalf"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004882; sid:5004882; rev: 1;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[MSAPI-EXCHANGE-BLUEDOT] Update from Bluedot listed IP address"; json_content: ".Workload","Exchange"; json_content: ".Operation", "Update"; bluedot: type ip_reputation, track by_src, none, Malicious,Tor,Honeypot,Proxy; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5004883; sid:5004883; rev: 1;)