GitHub Repo

Data Source: Office 365 Universal Audit Log

Date: 2025-02-21

ID: 86369e87-5b0b-46fe-8b96-310473dffe7f

Author: Bhavin Patel, Splunk

Description

Data source object for Office 365 Universal Audit Log

Details

Property Value
Source o365
Sourcetype o365:management:activity
Separator Operation
Name ▲▼ Technique ▲▼ Type ▲▼
O365 Application Available To Other Tenants Additional Cloud Roles TTP
O365 Cross-Tenant Access Change Trust Modification TTP
O365 DLP Rule Triggered Exfiltration Over Alternative Protocol, Exfiltration Over Web Service Anomaly
O365 Email Access By Security Administrator Remote Email Collection, Exfiltration Over Web Service TTP
O365 Email Hard Delete Excessive Volume Clear Mailbox Data, Data Destruction Anomaly
O365 Email New Inbox Rule Created Email Forwarding Rule, Email Hiding Rules Anomaly
O365 Email Password and Payroll Compromise Behavior Clear Mailbox Data, Data Destruction, Local Email Collection TTP
O365 Email Receive and Hard Delete Takeover Behavior Clear Mailbox Data, Data Destruction, Local Email Collection Anomaly
O365 Email Reported By Admin Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Email Reported By User Found Malicious Spearphishing Attachment, Spearphishing Link TTP
O365 Email Security Feature Changed Disable or Modify Tools, Disable or Modify Cloud Logs TTP
O365 Email Send and Hard Delete Exfiltration Behavior Local Email Collection, Clear Mailbox Data, Data Destruction Anomaly
O365 Email Send and Hard Delete Suspicious Behavior Local Email Collection, Clear Mailbox Data, Data Destruction Anomaly
O365 Email Send Attachments Excessive Volume Clear Mailbox Data, Data Destruction Anomaly
O365 Email Suspicious Behavior Alert Email Forwarding Rule TTP
O365 Email Suspicious Search Behavior Remote Email Collection, Unsecured Credentials Anomaly
O365 Email Transport Rule Changed Email Forwarding Rule, Email Hiding Rules Anomaly
O365 Exfiltration via File Access Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 Exfiltration via File Download Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 Exfiltration via File Sync Download Exfiltration Over Web Service, Data from Cloud Storage Anomaly
O365 External Guest User Invited Cloud Account TTP
O365 External Identity Policy Changed Cloud Account TTP
O365 Multiple OS Vendors Authenticating From User Brute Force TTP
O365 Privileged Role Assigned Additional Cloud Roles TTP
O365 Privileged Role Assigned To Service Principal Additional Cloud Roles TTP
O365 Safe Links Detection Spearphishing Attachment TTP
O365 SharePoint Allowed Domains Policy Changed Cloud Account TTP
O365 SharePoint Malware Detection Malicious File TTP
O365 SharePoint Suspicious Search Behavior Sharepoint, Unsecured Credentials Anomaly
O365 Threat Intelligence Suspicious Email Delivered Spearphishing Attachment, Spearphishing Link Anomaly
O365 Threat Intelligence Suspicious File Detected Malicious File TTP
O365 ZAP Activity Detection Spearphishing Attachment, Spearphishing Link Anomaly

Supported Apps

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
</div>

Source: GitHub | Version: 1