Office365 is a popular application productivity suite that enables organizations to accelerate communication and business processes. With Office365’s popularity, it has become a common attack vector for malicious actors and insider threats. As a result, Devo provides out-of-the-box detections to help organizations to understand possible attack vectors and ways to protect their office365 data.
| Expand |
|---|
| Expand |
|---|
| title | 365 Sus Mailbox Delegation |
|---|
|
Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules |
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. This detection is triggered when a user reports an email as malware or phishing in Office 365. Source table ➝ cloud.office365.management.securitycompliancecenter |
|
Identifies a password spraying attempt. Source table → cloud.office365 |
| Expand |
|---|
| title | SecOpsUnusualFileDownloadO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsGroupMembershipModifiedO365 |
|---|
|
Group Membership Modified. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsMaliciousOAuthAppConsentO365 |
|---|
|
This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsAdministrativeActivityFromNonCorporateIPO365 |
|---|
|
Alert when an admin user performs an administrative activity from an IP address that is not included in the corporate IP address range category. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsAnomalousBehaviorDiscoveredUsersO365 |
|---|
|
Alert when anomalous behavior is detected in discovered users and apps, such as: large amounts of uploaded data compared to other users, large user transactions compared to the user's history. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsMFADisabledAlertO365 |
|---|
|
Alerts when mfa is disabled for an account. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsUnusualFileDeletionActivityO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsCDIocIpSuspiciousO365Data |
|---|
|
This search looks for Collective Defense matches in o365 data. Source table → cloud.office365.management |
| Expand |
|---|
| title | SecOpsO365UserPasswordReset |
|---|
|
This alert looks for users that have reset their o365 account passwords. Source table → cloud.office365 |
| Expand |
|---|
| title | SecOpsCloudDiscoveryAnomalyDetectionO365 |
|---|
|
This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses and services, such as: large amounts of uploaded data upload compared to other users, large service transactions compared to the service's history. Source table → cloud.office365.management.exchangesiem_agent_event |
| Expand |
|---|
| title | New Federated DomainSecOpsO365NewFederatedDomain |
|---|
|
The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities. Source table → cloud.office365.management.exchange |
| Expand |
|---|
| title | SecOpsMultipleStorageDeletionActivitiesO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsPermissionsAddedMailboxFolderO365 |
|---|
|
Permissions added to Mailbox or Mailbox Folder. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsMultipleDeleteVMO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsO365MailboxAuditBypass |
|---|
|
The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken. Source table → cloud.office365.management.exchange |
| Expand |
|---|
| title | SecOpsMultipleVMCreationActivitiesO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | Excessive SSO Login FailuresSecOpsUnusualAdministrativeActivityO365 |
|---|
|
This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsO365ExcessiveAuthFailureAttempts |
|---|
|
Adversaries may use brute - force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Source table → cloud.office365.management.azureactivedirectory |
| Expand |
|---|
| title | Excessive Auth Failure AttemptsSecOpsO365PSTExportAlert |
|---|
|
This detection is triggered when a user account attempts an excessive number of authentication attempts with a failed status result in a short time windowhas performed an Ediscovery or exported a pst file with sensitive information. Source table → cloud.office365.management |
| Expand |
|---|
| title | SecOpsO365BypassMFAviaIP |
|---|
|
This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system. Source table → cloud.office365.management |
| Expand |
|---|
| title | SecOpsImpossibleTravelO365 |
|---|
|
This policy triggers when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsO365SuspiciousAdminEmailForwarding |
|---|
|
This detection is triggered when a user has configured several forwarding rules to the same email address. Source table → cloud.office365.management |
| Expand |
|---|
| title | SecOpsSuspiciousInboxForwardingO365 |
|---|
|
Suspicious inbox forwarding. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsActivityPerformedByTerminatedUserO365 |
|---|
|
Activity performed by terminated user. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsDataExfiltrationToUnsanctionedAppsO365 |
|---|
|
This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfiltrate information from your organization. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsO365UserPasswordChange |
|---|
|
Detection based on password changes that occur within an hour. Source table → cloud.office365 |
| Expand |
|---|
| title | SecOpsArrowAdminFailedLogonO365 |
|---|
|
A member of Arrow Admin has failed to log on. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsO365AddedServicePrincipal |
|---|
|
This activity is not necessarily malicious. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities. Source table → cloud.office365.management.azureactivedirectory |
| Expand |
|---|
| title | Disable MFA | SecOpsRansomwareActivityO365 |
|---|
|
Ransomware Activity Detected - If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsO365DisableMFA |
|---|
|
Adversaries may modify authentication mechanisms and processes to access user credentials, bypass authentication mechanisms or enable otherwise unwarranted access to accounts. Source table → cloud.office365.management.azureactivedirectory |
| Expand |
|---|
| This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system.| SecOpsSuspiciousOAuthAppFileDownloadO365 |
|
This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsActivityAnonymousIPAddressesO365 |
|---|
|
This alert shows a anonymous IP detection made by MCAS Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsO365PhishAttempt |
|---|
|
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Source table → cloud.office365.management.securitycompliancecenter |
| Expand |
|---|
| title | Added Service PrincipalSecOpsO365ImpossibleTravel |
|---|
|
This detection is triggered when new Service Principal credentials have been added in Azurewill identify users that have had successful logins in two geographically different locations within an hour. Source table → cloud.office365.management.azureactivedirectory |
| Expand |
|---|
| title | Mailbox Audit Bypass |
|---|
| The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken| SecOpsO365SusMailboxDelegation |
|
Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. Source table → cloud.office365.management.exchange |
| Expand |
|---|
| title | SecOpsO365PSTExportAlertSecOpsUnusualImpersonatedActivityO365 |
|---|
|
This detection is triggered when a user has performed an Ediscovery or exported a pst file with sensitive informationpolicy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsAzureADThreatIntelligenceO365 |
|---|
|
This detection indicates user activity consistent with known attack patterns Azured TI. Source table → cloud.office365.managementsiem_agent_alert |
| Expand |
|---|
| title | SecOpsO365SuspiciousAdminEmailForwardingSecOpsActivityInfrequentCountryO365 |
|---|
|
This detection is triggered when a user has configured several forwarding rules to the same email addresspolicy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. Source table → cloud.office365.managementsiem_agent_alert |
| Expand |
|---|
| title | SecOpsActivityAnonymousIPAddressesO365SecOpsSuspiciousEmailDeletionActivityO365 |
|---|
|
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intenta user performs suspicious email deletion activities in a single session, which could indicate an attempted breach. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsAWSInstancesCreatedOrDeletedO365 |
|---|
|
Alert notification for AWS Instances Created or Deleted.. Source table → cloud.office365.siem_agent_event |
| Expand |
|---|
| title | SecOpsSuspiciousInboxManipulationRuleO365 |
|---|
|
A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization. Source table → cloud.office365.siem_agent_alertevent |
| Expand |
|---|
| title | SecOpsActivityAnonymousIPAddressesO365SecOpsActivityFromAnonymousIPO365 |
|---|
|
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address and may be used for malicious intent. Source table → cloud.office365.siem_agent_alert |
| Expand |
|---|
| title | SecOpsGroupMembershipModifiedO365 |
|---|
| Group Membership Modified| SecOpsO365ExcessiveSSOLoginFailures |
|
Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Source table → cloud.office365.siem_agent_eventmanagement.azureactivedirectory |
| Expand |
|---|
| title | SecOpsDataExfiltrationToUnsanctionedAppsO365 |
|---|
| Detects attempts to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS)| SecOpsMalwareDetectionO365 |
|
This detection scans files in your cloud apps and runs suspicious files through Microsoft’s threat intelligence engine to determine whether they are associated with known malware. Source table → cloud.office365.siem_agent_event |
