Techniques
Sample rules
O365 Security And Compliance Alert Triggered
- source: splunk
- technicques:
- T1078
- T1078.004
Description
The following detection is tailored to identify and act upon alerts generated by the Office 365 Security and Compliance Center, encompassing a broad spectrum of security and compliance issues indicative of potential threats or policy violations within the O365 workspace.
Detection logic
`o365_management_activity` Workload=SecurityComplianceCenter Category=ThreatManagement Operation=AlertTriggered
| spath input=Data path=f3u output=user
| spath input=Data path=op output=operation
| spath input=_raw path=wl
| spath input=Data path=rid output=rule_id
| spath input=Data path=ad output=alert_description
| spath input=Data path=lon output=operation_name
| spath input=Data path=an output=alert_name
| spath input=Data path=sev output=severity
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user, Name, operation, rule_id, alert_description, alert_name, severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_security_and_compliance_alert_triggered_filter`