Package for security monitoring of Microsoft Office365 SaaS ready for deployment on Splunk to detect incidents and security violations in the Office365 platform.

Includes 20 threat detection rule items covering 8 Techniques across 6 Tactics according to MITRE ATT&CK Enterprise.

Splunk Dashboards:

• Azure Active Directory
• Exchange
• OneDrive
• SharePoint

Splunk Saved Searches (first 10 from 20):

• [Office365] Add admin role (Added a user to an admin role in Office 365)
• [Office365] Anonymizer tools detected (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
• [Office365] Anonymous link operations (Create, Update and other anonymous link operations detected)
• [Office365] Connection with a suspicious user agent (May be used for direct download via Powershell or other tools)
• [Office365] Cryptominer tools detected (Detects the mining tools)
• [Office365] Hacktool detected (Detects Empire scripts)
• [Office365] Malware detection (SharePoint anti-virus engine detects malware in a file.)
• [Office365] Remote administration tools detected (Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.)
• [Office365] Remove distribution group (Remove distribution groups and mail-enabled security groups)
• [Office365] Scanner tools detected (Scanner is used to discover hosts and services on a computer network by sending packets and analyzing the responses)

MITRE ATT&CK tags:

• User Execution | T1204
• Account Manipulation | T1098
• Brute Force | T1110
• Network Service Scanning | T1046
• Remote File Copy | T1105
• Data Staged | T1074
• Automated Exfiltration | T1020