Techniques
Sample rules
O365 Email Suspicious Behavior Alert
- source: splunk
- technicques:
- T1114
- T1114.003
Description
The following analytic identifies when one of O365 the built-in security detections for suspicious email behaviors are triggered. These alerts often indicate that an attacker may have compromised a mailbox within the environment. Any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities further enhance these detection and response functions.
Detection logic
`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name IN ("Suspicious email sending patterns detected","User restricted from sending email","Suspicious Email Forwarding Activity","Email sending limit exceeded")
| fromjson Data
| stats count min(_time) as firstTime max(_time) as lastTime by AlertId,ObjectId,Operation,Name
| rename Name as signature, AlertId as signature_id, ObjectId as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_suspicious_behavior_alert_filter`