[New Hunt] Potential Spoofed microsoftonline.com via Fuzzy Match

[terrancedejesus]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/642

Summary - What I changed

Adds a new hunt for potentially spoofed MSFT domains related to recent VOID BLIZZARD activity. Note that this hunt will need to be adjusted based on the environment it runs in as scores will vary depending on volume of documents.

How To Test

• Can be used in TRADE stack against spoofed-domains-test-v2 index

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

• Detailed description of the Hunt.
• Link related issues or PRs.
• Include references.
• Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

• author: The name of the individual or organization authoring the rule.
• uuid: Unique UUID.
• name and description are descriptive and typo-free.
• language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
• query is inclusive, not overly exclusive, considering performance for diverse environments.
• integration aligns with the index. Ensure updates if the integration is newly introduced.
• notes includes additional information regarding data collected from the hunting query.
• mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
• references are valid URL links that include information relevenat to the hunt or threat.
• license

Testing and Validation

• Evidence of testing and valid query usage.
• Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
• Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
• Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.

[w0rk3r]

Awesome/creative one 🔥