Loading . . .

Security Monitoring for Office365 SaaS Platform

Sign Up Sign In

Package for security monitoring of Microsoft Office365 SaaS ready for deployment on Splunk to detect incidents and security violations in the Office365 platform.

Includes 20 threat detection rule items covering 8 Techniques across 6 Tactics according to MITRE ATT&CK Enterprise.

Splunk Dashboards:

  • Azure Active Directory
  • Exchange
  • OneDrive
  • SharePoint

Splunk Saved Searches (first 10 from 20):

  • [Office365] Add admin role (Added a user to an admin role in Office 365)
  • [Office365] Anonymizer tools detected (An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.)
  • [Office365] Anonymous link operations (Create, Update and other anonymous link operations detected)
  • [Office365] Connection with a suspicious user agent (May be used for direct download via Powershell or other tools)
  • [Office365] Cryptominer tools detected (Detects the mining tools)
  • [Office365] Hacktool detected (Detects Empire scripts)
  • [Office365] Malware detection (SharePoint anti-virus engine detects malware in a file.)
  • [Office365] Remote administration tools detected (Remote administration tool is software that helps the administrator or attacker to receive full control of the targeted device.)
  • [Office365] Remove distribution group (Remove distribution groups and mail-enabled security groups)
  • [Office365] Scanner tools detected (Scanner is used to discover hosts and services on a computer network by sending packets and analyzing the responses)


  • User Execution | T1204
  • Account Manipulation | T1098
  • Brute Force | T1110
  • Network Service Scanning | T1046
  • Remote File Copy | T1105
  • Data Staged | T1074
  • Automated Exfiltration | T1020