Microsoft 365
Former user (Deleted)
Virginia Camuñas Núñez
Former user (Deleted)
Former user (Deleted)
Microsoft 365 Copilot (formerly Office) is a popular application productivity suite that enables organizations to accelerate communication and business processes. With Microsoft365’s popularity, it has become a common attack vector for malicious actors and insider threats. As a result, Devo provides out-of-the-box detections to help organizations to understand possible attack vectors and ways to protect their microsoft365 data.
Identifies a password spraying attempt.
Source table → cloud.office365
This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned.
Source table → cloud.office365.siem_agent_event
Group Membership Modified.
Source table → cloud.office365.siem_agent_event
This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.
Source table → cloud.office365.siem_agent_event
Alert when an admin user performs an administrative activity from an IP address that is not included in the corporate IP address range category.
Source table → cloud.office365.siem_agent_event
Alert when anomalous behavior is detected in discovered users and apps, such as: large amounts of uploaded data compared to other users, large user transactions compared to the user's history.
Source table → cloud.office365.siem_agent_event
Alerts when mfa is disabled for an account.
Source table → cloud.office365.siem_agent_alert
This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned.
Source table → cloud.office365.siem_agent_event
This search looks for Collective Defense matches in o365 data.
Source table → cloud.office365.management
This alert looks for users that have reset their o365 account passwords.
Source table → cloud.office365
This policy is automatically enabled to alert you when anomalous behavior is detected in discovered users, IP addresses and services, such as: large amounts of uploaded data upload compared to other users, large service transactions compared to the service's history.
Source table → cloud.office365.siem_agent_event
The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities.
Source table → cloud.office365.management.exchange
This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Source table → cloud.office365.siem_agent_alert
Permissions added to Mailbox or Mailbox Folder.
Source table → cloud.office365.siem_agent_event
This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.
Source table → cloud.office365.siem_agent_alert
The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken.
Source table → cloud.office365.management.exchange
This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned.
Source table → cloud.office365.siem_agent_alert
This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned.
Source table → cloud.office365.siem_agent_event
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Source table → cloud.office365.management.azureactivedirectory
This detection is triggered when a user has performed an Ediscovery or exported a pst file with sensitive information.
Source table → cloud.office365.management
This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system.
Source table → cloud.office365.management
This policy triggers when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials.
Source table → cloud.office365.siem_agent_alert
This detection is triggered when a user has configured several forwarding rules to the same email address.
Source table → cloud.office365.management
Suspicious inbox forwarding.
Source table → cloud.office365.siem_agent_event
Activity performed by terminated user.
Source table → cloud.office365.siem_agent_event
This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfiltrate information from your organization.
Source table → cloud.office365.siem_agent_event
Detection based on password changes that occur within an hour.
Source table → cloud.office365
A member of Arrow Admin has failed to log on.
Source table → cloud.office365.siem_agent_event
This activity is not necessarily malicious. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities.
Source table → cloud.office365.management.azureactivedirectory
Ransomware Activity Detected - If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
Source table → cloud.office365.siem_agent_event
Adversaries may modify authentication mechanisms and processes to access user credentials, bypass authentication mechanisms or enable otherwise unwarranted access to accounts.
Source table → cloud.office365.management.azureactivedirectory
This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user.
Source table → cloud.office365.siem_agent_event
This alert shows a anonymous IP detection made by MCAS
Source table → cloud.office365.siem_agent_alert
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.
Source table → cloud.office365.management.securitycompliancecenter
This detection will identify users that have had successful logins in two geographically different locations within an hour.
Source table → cloud.office365
Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules.
Source table → cloud.office365.management.exchange
This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned.
Source table → cloud.office365.siem_agent_event
This detection indicates user activity consistent with known attack patterns Azured TI.
Source table → cloud.office365.siem_agent_alert
This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization.
Source table → cloud.office365.siem_agent_alert
This policy profiles your environment and triggers alerts when a user performs suspicious email deletion activities in a single session, which could indicate an attempted breach.
Source table → cloud.office365.siem_agent_alert
Alert notification for AWS Instances Created or Deleted..
Source table → cloud.office365.siem_agent_event
A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.
Source table → cloud.office365.siem_agent_event
This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address.
Source table → cloud.office365.siem_agent_alert
Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Source table → cloud.office365.management.azureactivedirectory
This detection scans files in your cloud apps and runs suspicious files through Microsoft’s threat intelligence engine to determine whether they are associated with known malware.
Source table → cloud.office365.siem_agent_event