LoFP LoFP / signals are generated by microsoft defender for office 365. false-positives may occur if legitimate user activity is misclassified as a threat.

Techniques

Sample rules

M365 Threat Intelligence Signal

Description

Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365. Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.

Detection logic

event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"