O365 Safe Links Detection
Description
The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-03-30
- Author: Steven Dick
- ID: 711d9e8c-2cb0-45cf-8813-5f191ecb9b26
Annotations
ATT&CK
Kill Chain Phase
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated
| fromjson Data
| stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) as url values(od) as desc by AlertId,trc,Operation,Name,ot
| rename Name as signature, AlertId as signature_id, trc as user,ot as action
| eval action = CASE(action == "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_safe_links_detection_filter`
Macros
The SPL above uses the following Macros:
o365_safe_links_detection_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- AlertId
- Operation
- Name
- AlertId
- trc
- ot
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The Safe Links capability must be configured and is typically only available to E3/E5 level customers.
Known False Positives
Based on Safe Links policies, may vary.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
40.0 | 40 | 100 | $user$ triggered a Microsoft Safe Links detection. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide
- https://attack.mitre.org/techniques/T1566/
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1