Try in Splunk Security Cloud

Description

This story is focused around detecting Office 365 Attacks.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Patrick Bareiss, Splunk
  • ID: 1a51dd71-effc-48b2-abc4-3e9cdb61e5b9

Narrative

More and more companies are using Microsofts Office 365 cloud offering. Therefore, we see more and more attacks against Office 365. This story provides various detections for Office 365 attacks.

Detections

Name Technique Type
High Number of Login Failures from a single source Password Guessing, Brute Force Anomaly
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly

Reference

source | version: 1