Data Source: Office 365 Universal Audit Log

Date: 2026-05-13

ID: 86369e87-5b0b-46fe-8b96-310473dffe7f

Author: Bhavin Patel, Splunk

Description

Data source object for Office 365 Universal Audit Log

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Name ▲▼	Technique ▲▼	Type ▲▼
O365 ZAP Activity Detection	Spearphishing Attachment, Spearphishing Link	Anomaly
O365 Email Transport Rule Changed	Email Forwarding Rule, Email Hiding Rules	Anomaly
O365 Cross-Tenant Access Change	Trust Modification	TTP
O365 SharePoint Suspicious Search Behavior	Sharepoint, Unsecured Credentials	Anomaly
O365 Email Reported By User Found Malicious	Spearphishing Attachment, Spearphishing Link	TTP
O365 Email Security Feature Changed	Disable or Modify Cloud Log	TTP
O365 Privileged Role Assigned	Additional Cloud Roles	TTP
O365 DLP Rule Triggered	Exfiltration Over Alternative Protocol, Exfiltration Over Web Service	Anomaly
O365 Email Send Attachments Excessive Volume	Clear Mailbox Data, Data Destruction	Anomaly
O365 Privileged Role Assigned To Service Principal	Additional Cloud Roles	TTP
O365 SharePoint Malware Detection	Malicious File	TTP
O365 Safe Links Detection	Spearphishing Attachment	TTP
O365 Email Suspicious Search Behavior	Remote Email Collection, Unsecured Credentials	Anomaly
O365 Email Password and Payroll Compromise Behavior	Clear Mailbox Data, Local Email Collection, Data Destruction	TTP
O365 Threat Intelligence Suspicious File Detected	Malicious File	TTP
O365 Exfiltration via File Sync Download	Data from Cloud Storage, Exfiltration Over Web Service	Anomaly
O365 Email Receive and Hard Delete Takeover Behavior	Clear Mailbox Data, Local Email Collection, Data Destruction	Anomaly
O365 Email Hard Delete Excessive Volume	Clear Mailbox Data, Data Destruction	Anomaly
O365 Multiple OS Vendors Authenticating From User	Brute Force	TTP
O365 SharePoint Allowed Domains Policy Changed	Cloud Account	TTP
O365 Exfiltration via File Access	Data from Cloud Storage, Exfiltration Over Web Service	Anomaly
O365 Email Suspicious Behavior Alert	Email Forwarding Rule	TTP
O365 Email New Inbox Rule Created	Email Forwarding Rule, Email Hiding Rules	Anomaly
O365 External Guest User Invited	Cloud Account	TTP
O365 Email Send and Hard Delete Exfiltration Behavior	Clear Mailbox Data, Local Email Collection, Data Destruction	Anomaly
O365 External Identity Policy Changed	Cloud Account	TTP
O365 Threat Intelligence Suspicious Email Delivered	Spearphishing Attachment, Spearphishing Link	Anomaly
O365 Application Available To Other Tenants	Additional Cloud Roles	TTP
O365 Email Reported By Admin Found Malicious	Spearphishing Attachment, Spearphishing Link	TTP
O365 Email Access By Security Administrator	Remote Email Collection, Exfiltration Over Web Service	TTP
O365 Exfiltration via File Download	Data from Cloud Storage, Exfiltration Over Web Service	Anomaly
O365 Email Send and Hard Delete Suspicious Behavior	Clear Mailbox Data, Local Email Collection, Data Destruction	Anomaly

Supported Apps

Splunk Microsoft Office 365 Add-on (version 6.0.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
</div>

Source: GitHub | Version: 2

Data Source: Office 365 Universal Audit Log

Description

Details

Related Detections

Supported Apps

Event Fields