Analytics Story: Office 365 Collection Techniques

Date: 2024-02-12 ID: d90f2b80-f675-4717-90af-12fc8c438ae8 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and anomalies indicative of potential collection techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The 'Office 365 Collection Techniques' analytic story focuses on the strategies and methodologies that attackers might use to gather critical information within the O365 ecosystem. 'Collection' in this context refers to the various techniques adversaries deploy to accumulate data that are essential for advancing their malicious objectives. This could include tactics such as intercepting communications, accessing sensitive documents, or extracting data from collaboration tools and email platforms. By identifying and monitoring these collection activities, organizations can more effectively spot and counteract attempts to illicitly gather information

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
O365 ApplicationImpersonation Role Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Compliance Content Search Exported	Email Collection, Remote Email Collection	TTP
O365 Compliance Content Search Started	Email Collection, Remote Email Collection	TTP
O365 Elevated Mailbox Permission Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Email Suspicious Behavior Alert	Email Collection, Email Forwarding Rule	TTP
O365 Mailbox Email Forwarding Enabled	Email Collection, Email Forwarding Rule	TTP
O365 Mailbox Folder Read Permission Assigned	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Mailbox Folder Read Permission Granted	Account Manipulation, Additional Email Delegate Permissions	TTP
O365 Multiple Mailboxes Accessed via API	Remote Email Collection	TTP
O365 New Email Forwarding Rule Created	Email Collection, Email Forwarding Rule	TTP
O365 New Email Forwarding Rule Enabled	Email Collection, Email Forwarding Rule	TTP
O365 New Forwarding Mailflow Rule Created	Email Collection	TTP
O365 OAuth App Mailbox Access via EWS	Remote Email Collection	TTP
O365 OAuth App Mailbox Access via Graph API	Remote Email Collection	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious Rights Delegation	Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation	TTP
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
O365	N/A	`o365:management:activity`	`o365`
O365 MailItemsAccessed	N/A	`o365:management:activity`	`o365`

References

Source: GitHub | Version: 1