Loading . . .

Security Monitoring for Office365 SaaS Platform

Sign Up Sign In
Description:

Package for security monitoring of Microsoft Office365 SaaS ready for deployment on Splunk to detect incidents and security violations in the Office365 platform.

Includes 20 threat detection rule items covering 8 Techniques across 6 Tactics according to MITRE ATT&CK Enterprise.

Splunk Dashboards:

  • Azure Active Directory
  • Exchange
  • OneDrive
  • SharePoint

Splunk Saved Searches (first 10 from 20):

  • [Office365] Add admin role (Added a user to an admin role in Office 365)
  • [Office365] Anonymizer tools detected (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
  • [Office365] Anonymous link operations (Create, Update and other anonymous link operations detected)
  • [Office365] Connection with a suspicious user agent (May be used for direct download via Powershell or other tools)
  • [Office365] Cryptominer tools detected (Detects the mining tools)
  • [Office365] Hacktool detected (Detects Empire scripts)
  • [Office365] Malware detection (SharePoint anti-virus engine detects malware in a file.)
  • [Office365] Remote administration tools detected (Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.)
  • [Office365] Remove distribution group (Remove distribution groups and mail-enabled security groups)
  • [Office365] Scanner tools detected (Scanner is used to discover hosts and services on a computer network by sending packets and analyzing the responses)


MITRE ATT&CK tags:

  • User Execution | T1204
  • Account Manipulation | T1098
  • Brute Force | T1110
  • Network Service Scanning | T1046
  • Remote File Copy | T1105
  • Data Staged | T1074
  • Automated Exfiltration | T1020