Office 365 Detections

Description

This story is focused around detecting Office 365 Attacks.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Authentication
Last Updated: 2020-12-16
Author: Patrick Bareiss, Splunk
ID: 1a51dd71-effc-48b2-abc4-3e9cdb61e5b9

Narrative

More and more companies are using Microsofts Office 365 cloud offering. Therefore, we see more and more attacks against Office 365. This story provides various detections for Office 365 attacks.

Detections

Name	Technique	Type
High Number of Login Failures from a single source	Password Guessing, Brute Force	Anomaly
O365 Add App Role Assignment Grant User	Cloud Account, Create Account	TTP
O365 Added Service Principal	Cloud Account, Create Account	TTP
O365 Bypass MFA via Trusted IP	Disable or Modify Cloud Firewall, Impair Defenses	TTP
O365 Disable MFA	Modify Authentication Process	TTP
O365 Excessive Authentication Failures Alert	Brute Force	Anomaly
O365 Excessive SSO logon errors	Modify Authentication Process	Anomaly
O365 New Federated Domain Added	Cloud Account, Create Account	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious Rights Delegation	Remote Email Collection, Email Collection	TTP
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly

Reference

https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf

source | version: 1

Twitter Facebook LinkedIn