Package for security monitoring of Microsoft Office365 SaaS ready for deployment on Splunk to detect incidents and security violations in the Office365 platform.
Includes 20 threat detection rule items covering 8 Techniques across 6 Tactics according to MITRE ATT&CK Enterprise.
Splunk Dashboards:
- Azure Active Directory
- Exchange
- OneDrive
- SharePoint
Splunk Saved Searches (first 10 from 20):
- [Office365] Add admin role (Added a user to an admin role in Office 365)
- [Office365] Anonymizer tools detected (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
- [Office365] Anonymous link operations (Create, Update and other anonymous link operations detected)
- [Office365] Connection with a suspicious user agent (May be used for direct download via Powershell or other tools)
- [Office365] Cryptominer tools detected (Detects the mining tools)
- [Office365] Hacktool detected (Detects Empire scripts)
- [Office365] Malware detection (SharePoint anti-virus engine detects malware in a file.)
- [Office365] Remote administration tools detected (Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.)
- [Office365] Remove distribution group (Remove distribution groups and mail-enabled security groups)
- [Office365] Scanner tools detected (Scanner is used to discover hosts and services on a computer network by sending packets and analyzing the responses)
MITRE ATT&CK tags:
- User Execution | T1204
- Account Manipulation | T1098
- Brute Force | T1110
- Network Service Scanning | T1046
- Remote File Copy | T1105
- Data Staged | T1074
- Automated Exfiltration | T1020