M365 Threat Intelligence Signal

Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365. Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2025/08/19"
 3integration = ["o365"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2025/08/19"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
12Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
13"""
14false_positives = [
15    """
16    Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is
17    misclassified as a threat.
18    """,
19]
20from = "now-9m"
21index = ["filebeat-*", "logs-o365.audit-*"]
22language = "kuery"
23license = "Elastic License v2"
24max_signals = 1000
25name = "M365 Threat Intelligence Signal"
26references = [
27    "https://learn.microsoft.com/en-us/purview/audit-supported-services",
28    "https://www.octiga.io/en-gb/insights/nist-csf-for-office-365",
29    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema",
30]
31risk_score = 47
32rule_id = "60c814fc-7d06-11f0-b326-f661ea17fbcd"
33setup = """### Additional notes
34
35For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
36"""
37severity = "medium"
38tags = [
39    "Domain: Cloud",
40    "Domain: SaaS",
41    "Data Source: Microsoft 365",
42    "Data Source: Microsoft 365 Audit Logs",
43    "Data Source: Microsoft Defender",
44    "Data Source: Microsoft Defender Threat Intelligence",
45    "Use Case: Threat Detection",
46    "Tactic: Initial Access",
47]
48timestamp_override = "event.ingested"
49type = "query"
50
51query = '''
52event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1566"
60name = "Phishing"
61reference = "https://attack.mitre.org/techniques/T1566/"
62
63
64[rule.threat.tactic]
65id = "TA0001"
66name = "Initial Access"
67reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top