GitHub Repo

O365 Various Alerts

Date: 2024-4-6 ID: 35cffd75-1e1c-4837-a886-94c4ebf79f62 Author: Steven Dick Environment: attack_range Directory: o365_various_alerts

Description

Various Office 365 built-in and premium security feature alerts.

MITRE ATT&CK Techniques

ID Technique Tactic
T1566 Phishing Initial Access

Environment Details

Field Value
Environment attack_range
Directory o365_various_alerts
Test Date 2024-4-6

Datasets

The following datasets were collected during this attack simulation:

O365_various_alerts

  • Path: /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log
  • Sourcetype: o365:management:activity
  • Source: o365

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
O365 ZAP Activity Detection Anomaly Cloud T1566.001, T1566.002 Spearphishing Attachments, Suspicious Emails
O365 Email Reported By User Found Malicious TTP Cloud T1566.001, T1566.002 Spearphishing Attachments, Suspicious Emails
O365 Email Security Feature Changed TTP Cloud T1562.001, T1562.008 Office 365 Persistence Mechanisms, Office 365 Account Takeover
O365 DLP Rule Triggered Anomaly Cloud T1048, T1567 Data Exfiltration
O365 SharePoint Malware Detection TTP Cloud T1204.002 Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
O365 Safe Links Detection TTP Cloud T1566.001 Office 365 Account Takeover, Spearphishing Attachments
O365 Threat Intelligence Suspicious File Detected TTP Cloud T1204.002 Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
O365 SharePoint Allowed Domains Policy Changed TTP Cloud T1136.003 Azure Active Directory Persistence
O365 Email Suspicious Behavior Alert TTP Cloud T1114.003 Suspicious Emails, Office 365 Collection Techniques, Office 365 Account Takeover
O365 Threat Intelligence Suspicious Email Delivered Anomaly Cloud T1566.001, T1566.002 Spearphishing Attachments, Suspicious Emails
O365 Email Reported By Admin Found Malicious TTP Cloud T1566.001, T1566.002 Spearphishing Attachments, Suspicious Emails
O365 Email Access By Security Administrator TTP Cloud T1114.002, T1567 Data Exfiltration, Azure Active Directory Account Takeover, Office 365 Account Takeover

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0