LoFP LoFP / o365 tenant

TitleTags
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
administrator may legitimately invite external guest users. filter as needed.
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
administrators might alter features for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
administrators might temporarily share a mailbox with all users for legitimate reasons, such as troubleshooting, migrations, or other administrative tasks. some organizations use shared mailboxes for teams or departments where multiple users need access to the same mailbox. filter as needed.
administrators that submit known phishing training exercises.
administrators will legitimately assign the privileged roles users as part of administrative tasks. microsoft privileged identity management (pim) may cause false positives / less accurate alerting.
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
application owners may be added for legitimate reasons, filter as needed.
based on safe links policies, may vary.
business approved changes by known administrators.
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
compliance content searche exports may be executed for legitimate purposes, filter as needed.
compliance content searches may be executed for legitimate purposes, filter as needed.
email forwarding may be configured for legitimate purposes, filter as needed.
forwarding mail flow rules may be created for legitimate reasons, filter as needed.
fullaccess mailbox delegation may be assigned for legitimate purposes, filter as needed.
ip or users where the usage of multiple operating systems is expected, filter accordingly.
it is possible that certain file access scenarios may trigger this alert, specifically onedrive syncing and users accessing personal onedrives of other users. adjust threshold and filtering as needed.
it is possible that certain file download scenarios may trigger this alert, specifically onedrive syncing. adjust threshold and filtering as needed.
it is possible that certain file sync scenarios may trigger this alert, specifically onenote. adjust threshold and filtering as needed.
legitamate access by security administators for incident response measures.
legitimate administrative changes for business needs.
legitimate applications may access multiple mailboxes via an api. you can filter by the clientappid or the clientipaddress fields.
legitimate applications may be granted tenant wide consent, filter as needed.
logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.
mailbox folder permissions may be configured for legitimate purposes, filter as needed.
microsofts algorithm to identify risky applications is unknown and may flag legitimate applications.
o365 security and compliance may also generate false positives or trigger on legitimate behavior, filter as needed.
oauth applications may access mailboxes for legitimate purposes, you can use the clientappid to add trusted applications to an allow list.
oauth applications that require file permissions may be legitimate, investigate and filter as needed.
oauth applications that require mail permissions may be legitimate, investigate and filter as needed.
privilege roles may be assigned for legitimate purposes, filter as needed.
privileged graph api permissions may be assigned for legitimate purposes. filter as needed.
pst export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
service principal client credential modifications may be part of legitimate administrative operations. filter as needed.
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
the creation of a new federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
the full_access_as_app api permission may be assigned to legitimate applications. filter as needed.
the threshold for alert is above 10 attempts and this should reduce the number of false positives.
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
unless it is a special case, it is uncommon to continually update trusted ips to mfa configuration.
unless it is a special case, it is uncommon to disable mfa or strong authentication
users emailing for legitimate business purposes that appear suspicious.
users may create email forwarding rules for legitimate purposes. filter as needed.
users may register mfa methods legitimally, investigate and filter as needed.
users searching excessively or possible false positives related to matching conditions.
while infrequent, the applicationimpersonation role may be granted for leigimate reasons, filter as needed.
while there are legitimate scenarios for these permissions, such as an executive assistant needing access to an executive's mailbox, there are also malicious scenarios. investigate and filter as needed.
will depending on accuracy of dlp rules, these can be noisy so tune appropriately.