M365 Threat Intelligence Signal
Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365. Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/08/19"
3integration = ["o365"]
4maturity = "production"
5promotion = true
6updated_date = "2025/08/19"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
12Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
13"""
14false_positives = [
15 """
16 Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is
17 misclassified as a threat.
18 """,
19]
20from = "now-9m"
21index = ["filebeat-*", "logs-o365.audit-*"]
22language = "kuery"
23license = "Elastic License v2"
24max_signals = 1000
25name = "M365 Threat Intelligence Signal"
26references = [
27 "https://learn.microsoft.com/en-us/purview/audit-supported-services",
28 "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365",
29 "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
30]
31risk_score = 47
32rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd"
33setup = """### Additional notes
34
35For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
36"""
37severity = "medium"
38tags = [
39 "Domain: Cloud",
40 "Domain: SaaS",
41 "Data Source: Microsoft 365",
42 "Data Source: Microsoft 365 Audit Logs",
43 "Data Source: Microsoft Defender",
44 "Data Source: Microsoft Defender Threat Intelligence",
45 "Use Case: Threat Detection",
46 "Tactic: Initial Access",
47]
48timestamp_override = "event.ingested"
49type = "query"
50
51query = '''
52event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1566"
60name = "Phishing"
61reference = "https://attack.mitre.org/techniques/T1566/"
62
63
64[rule.threat.tactic]
65id = "TA0001"
66name = "Initial Access"
67reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Microsoft 365 or Entra ID Sign-in from a Suspicious Source
- Multiple Microsoft 365 User Account Lockouts in Short Time Window
- Potential Microsoft 365 User Account Brute Force
- Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
- Microsoft 365 OAuth Phishing via Visual Studio Code Client