LoFP
/
o365
o365 rule
Title
Tags
a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
o365
elastic
a malware filter policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
o365
elastic
a malware filter rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
o365
elastic
a new role may be assigned to a management group by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1098
o365
elastic
a new transport rule may be created by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1537
o365
elastic
a safe attachment rule may be disabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1562
o365
elastic
a transport rule may be modified by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1537
o365
elastic
a user sending emails using personal distribution folders may trigger the event.
t1078
o365
elastic
an anti-phishing policy may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1566
o365
elastic
an anti-phishing rule may be deleted by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1566
o365
elastic
assignment of rights to a service account.
t1098
o365
elastic
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
t1110
o365
aws
okta
elastic
benign files can trigger signatures in the built-in virus protection
T1080
o365
elastic
custom applications may be allowed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
o365
elastic
disabling a dkim configuration may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1556
o365
elastic
disabling safe links may be done by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1566
o365
elastic
if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
t1486
o365
elastic
legitimate allowlisting of noisy accounts
t1562
o365
elastic
legitimate files reported by the users
t1566
o365
elastic
teams external access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1098
o365
elastic
teams guest access may be enabled by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1098
o365
elastic
unknown
o365
elastic
user using a new mail client.
t1078
o365
elastic
user using a vpn may lead to false positives.
t1078
o365
elastic
users and administrators can create inbox rules for legitimate purposes. verify if it complies with the company policy and done with the user's consent. exceptions can be added to this rule to filter expected behavior.
t1114
o365
elastic
users or system administrator cleaning out folders.
t1485
o365
elastic
LoFP
/
o365