M365 Threat Intelligence Signal

 1[metadata]
 2creation_date = "2025/08/19"
 3integration = ["o365"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2025/08/19"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
12Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
13"""
14false_positives = [
15    """
16    Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is
17    misclassified as a threat.
18    """,
19]
20from = "now-9m"
21index = ["filebeat-*", "logs-o365.audit-*"]
22language = "kuery"
23license = "Elastic License v2"
24max_signals = 1000
25name = "M365 Threat Intelligence Signal"
26references = [
27    "https://learn.microsoft.com/en-us/purview/audit-supported-services",
28    "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365",
29    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
30]
31risk_score = 47
32rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd"
33setup = """### Additional notes
34
35For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
36"""
37severity = "medium"
38tags = [
39    "Domain: Cloud",
40    "Domain: SaaS",
41    "Data Source: Microsoft 365",
42    "Data Source: Microsoft 365 Audit Logs",
43    "Data Source: Microsoft Defender",
44    "Data Source: Microsoft Defender Threat Intelligence",
45    "Use Case: Threat Detection",
46    "Tactic: Initial Access",
47]
48timestamp_override = "event.ingested"
49type = "query"
50
51query = '''
52event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1566"
60name = "Phishing"
61reference = "https://attack.mitre.org/techniques/T1566/"
62
63
64[rule.threat.tactic]
65id = "TA0001"
66name = "Initial Access"
67reference = "https://attack.mitre.org/tactics/TA0001/"

References

• Microsoft services that support auditing

  

  Learn about Microsoft services that support auditing in Microsoft Purview.

  
  Read More

• Octiga

  With more than a decade long history of businesses adopting cloud computing, less than one-third of the enterprises have a documented cloud strategy as per Gartner's estimation. Despite the increas...

  
  Read More

• Office 365 Management Activity API schema

  

  The Office 365 Management Activity API schema is provided as a data service in two layers - Common schema and service-specific schema.

  
  Read More

Related rules

• Microsoft 365 or Entra ID Sign-in from a Suspicious Source
• Multiple Microsoft 365 User Account Lockouts in Short Time Window
• Potential Microsoft 365 User Account Brute Force
• Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
• Microsoft 365 OAuth Phishing via Visual Studio Code Client