Techniques
Sample rules
O365 Safe Links Detection
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem.
Detection logic
`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated
| fromjson Data
| stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) as url values(od) as desc by AlertId,trc,Operation,Name,ot
| rename Name as signature, AlertId as signature_id, trc as user,ot as action
| eval action = CASE(action == "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_safe_links_detection_filter`