Office 365

Office365 is a popular application productivity suite that enables organizations to accelerate communication and business processes. With Office365’s popularity, it has become a common attack vector for malicious actors and insider threats. As a result, Devo provides out-of-the-box detections to help organizations to understand possible attack vectors and ways to protect their office365 data.

Identifies a password spraying attempt.

Source table → cloud.office365

This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned.

Source table → cloud.office365.siem_agent_event

Group Membership Modified.

Source table → cloud.office365.siem_agent_event

This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.

Source table → cloud.office365.siem_agent_event

Alert when an admin user performs an administrative activity from an IP address that is not included in the corporate IP address range category.

Source table → cloud.office365.siem_agent_event