M365 Threat Intelligence Signal

  1[metadata]
  2creation_date = "2025/08/19"
  3integration = ["o365"]
  4maturity = "production"
  5promotion = true
  6updated_date = "2025/09/01"
  7
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
 12Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
 13"""
 14false_positives = [
 15    """
 16    Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is
 17    misclassified as a threat.
 18    """,
 19]
 20from = "now-9m"
 21index = ["filebeat-*", "logs-o365.audit-*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24max_signals = 1000
 25name = "M365 Threat Intelligence Signal"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating M365 Threat Intelligence Signal
 32
 33Microsoft 365 Threat Intelligence leverages audit logs to monitor activities across services like Exchange Online and SharePoint. Adversaries may exploit these platforms for phishing, gaining initial access. The detection rule identifies signals from Microsoft Defender, focusing on audit logs tagged with "ThreatIntelligence," to pinpoint potential abuse, assigning a medium risk score to such events.
 34
 35### Possible investigation steps
 36
 37- Review the audit logs filtered by event.dataset: "o365.audit" and event.provider: "ThreatIntelligence" to identify the specific activities flagged by the rule.
 38- Examine the user accounts associated with the flagged activities to determine if they have been compromised or are behaving anomalously.
 39- Investigate the source IP addresses and locations associated with the flagged events to identify any unusual or suspicious access patterns.
 40- Check for any related alerts or signals in Microsoft Defender for Office 365 that might provide additional context or corroborate the threat.
 41- Assess the potential impact on Exchange Online, SharePoint Online, and OneDrive for Business by reviewing any changes or access attempts to sensitive data or configurations.
 42- Determine if the flagged activities align with known phishing techniques (MITRE ATT&CK T1566) and assess the likelihood of initial access attempts.
 43
 44### False positive analysis
 45
 46- Routine administrative activities in Exchange Online or SharePoint Online may trigger audit logs tagged with "ThreatIntelligence" without indicating malicious intent. Review these logs to identify patterns of legitimate administrative actions and consider excluding them from the detection rule.
 47- Automated processes or third-party integrations with Microsoft 365 services can generate audit logs similar to those flagged by the rule. Identify these processes and create exceptions for known benign activities to reduce false positives.
 48- Frequent file sharing or collaboration activities in OneDrive for Business might be misinterpreted as potential threats. Analyze the context of these activities and exclude regular business operations from the rule to prevent unnecessary alerts.
 49- Regular updates or maintenance tasks performed by IT staff can appear as suspicious activities. Establish a baseline of expected behavior during these periods and adjust the detection rule to accommodate these known activities.
 50- User training sessions or onboarding processes may involve actions that mimic initial access tactics. Monitor these events and exclude them from the rule when they align with scheduled training or onboarding activities.
 51
 52### Response and remediation
 53
 54- Immediately isolate any affected accounts or systems identified in the audit logs to prevent further unauthorized access or data exfiltration.
 55- Conduct a thorough review of the audit logs to identify any additional suspicious activities or compromised accounts related to the Threat Intelligence signals.
 56- Reset passwords for compromised accounts and enforce multi-factor authentication to enhance security and prevent further unauthorized access.
 57- Notify relevant stakeholders, including IT security teams and management, about the incident and potential impact, ensuring alignment on response actions.
 58- Escalate the incident to Microsoft support if necessary, providing detailed information from the audit logs to assist in further investigation and resolution.
 59- Implement additional monitoring and alerting for similar threat indicators to enhance detection capabilities and prevent recurrence.
 60- Review and update security policies and configurations for Exchange Online, SharePoint Online, and OneDrive for Business to mitigate vulnerabilities exploited by adversaries.
 61"""
 62references = [
 63    "https://learn.microsoft.com/en-us/purview/audit-supported-services",
 64    "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365",
 65    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
 66]
 67risk_score = 47
 68rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd"
 69setup = """### Additional notes
 70
 71For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 72"""
 73severity = "medium"
 74tags = [
 75    "Domain: Cloud",
 76    "Domain: SaaS",
 77    "Data Source: Microsoft 365",
 78    "Data Source: Microsoft 365 Audit Logs",
 79    "Data Source: Microsoft Defender",
 80    "Data Source: Microsoft Defender Threat Intelligence",
 81    "Use Case: Threat Detection",
 82    "Tactic: Initial Access",
 83    "Resources: Investigation Guide"
 84]
 85timestamp_override = "event.ingested"
 86type = "query"
 87
 88query = '''
 89event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1566"
 97name = "Phishing"
 98reference = "https://attack.mitre.org/techniques/T1566/"
 99
100
101[rule.threat.tactic]
102id = "TA0001"
103name = "Initial Access"
104reference = "https://attack.mitre.org/tactics/TA0001/"