Skip to content

Latest commit

 

History

History
125 lines (118 loc) · 11.4 KB

d3ed003d-5ddd-4c7a-bea5-63eae6311833.md

File metadata and controls

125 lines (118 loc) · 11.4 KB
Raw

Products: Microsoft - Office 365

Rules

Rule ID Rule Name
MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
MATCH-S00139 Abnormal Parent-Child Process Combination
MATCH-S00510 Attempt to Add Certificate to Store
MATCH-S00417 Attrib.exe use to Hide Files and Folders
MATCH-S00686 Base64 Decode in Command Line
THRESHOLD-S00096 Brute Force Attempt
MATCH-S00443 Create Windows Share
MATCH-S00527 Email Files Written Outside Of The Outlook Directory
MATCH-S00479 Excavator Utility
MATCH-S00392 File or Folder Permissions Modifications
FIRST-S00044 First Seen AppID Generating MailIItemsAccessed Event from User
FIRST-S00046 First Seen Client Generating MailIItemsAccessed Event from User
FIRST-S00029 First Seen Successful Authentication From Unexpected Country
MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
THRESHOLD-S00097 Impossible Travel - Successful
THRESHOLD-S00098 Impossible Travel - Unsuccessful
MATCH-S00445 Known Ransomware File Extensions
MATCH-S00745 Loadable Kernel Module Enumeration
MATCH-S00723 Loadable Kernel Module Modifications
MATCH-S00352 MSHTA Suspicious Execution
MATCH-S00725 Microsoft CHM File Observed
MATCH-S00888 Microsoft Teams External Access Enabled
MATCH-S00889 Microsoft Teams Guest Access Enabled
MATCH-S00419 Multiple File Extensions
MATCH-S00402 Normalized Security Signal
MATCH-S00455 O365 - Successful Authentication with PowerShell User Agent
MATCH-S00068 O365 - Users Password Changed
MATCH-S00069 O365 - Users Password Reset
MATCH-S00828 Office 365 Exchange Transport Rule Created
MATCH-S00829 Office 365 Exchange Transport Rule Enabled
MATCH-S00830 Office 365 Forwarding Rule Created
MATCH-S00833 Office 365 Inbox Rule Created
MATCH-S00832 Office 365 Inbox Rule Updated
MATCH-S00831 Office 365 Unified Audit Logging Disabled
THRESHOLD-S00095 Password Attack
MATCH-S00835 Possible Dynamic URL Domain
MATCH-S00691 Productivity App Spawning Rundll32 or Regsvr32
MATCH-S00167 Recon Using Common Windows Commands
MATCH-S00506 SC Exe Manipulating Windows Services
MATCH-S00468 SafetyKatz Credential Stealer
THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents
MATCH-S00422 Spaces Before File Extension
OUTLIER-S00001 Spike in Login Failures from a User
MATCH-S00507 Spoolsv Child Process Created
CHAIN-S00008 Successful Brute Force
MATCH-S00356 Suspicious Compression Tool Parameters
MATCH-S00499 Suspicious Email Attachment Extension
LEGACY-S00182 Suspicious HTTP User-Agent
AGGREGATION-S00005 Suspicious System Enumeration Occurring in Quick Succession
MATCH-S00555 Threat Intel - Inbound Traffic Context
LEGACY-S00109 Threat Intel - Matched Domain Name
LEGACY-S00108 Threat Intel - Matched File Hash
MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
MATCH-S00570 WMIPRVSE Spawning Process
MATCH-S00400 Web Download via Office Binaries
MATCH-S00181 Windows - Domain Trust Discovery
MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
MATCH-S00281 Windows - PowerShell Process Discovery
MATCH-S00192 Windows - System Network Configuration Discovery
MATCH-S00178 Windows Query Registry
MATCH-S00724 Windows Update Agent DLL Changed
MATCH-S00508 Zoom Child Process

Log Mappers

Log Mapper ID Log Mapper Name
cb996e17-3f10-477e-a9fb-1acbba2bd730 Microsoft Office 365 64 Events
20871df8-533d-4aff-8328-037a9462f279 Microsoft Office 365 Active Directory Authentication Events
fa572950-571a-4570-9299-8cd3fa64fad2 Microsoft Office 365 AzureActiveDirectory Events
46404344-3d7a-4fd8-a580-accf6180cceb Microsoft Office 365 CRM Events
aa0263c9-a102-492c-b614-67d9aaf98ac1 Microsoft Office 365 DataInsights Events
279fabe5-d3a3-468a-a908-d110099bb244 Microsoft Office 365 Discovery Events
68fb47a0-1dac-48d2-a8c0-d76997350793 Microsoft Office 365 Events
f92aeb36-4690-47b7-ba7b-be1d0ec491ce Microsoft Office 365 Exchange Mailbox Audit Events
f096edb3-5d42-4834-bfd0-16ff99fae568 Microsoft Office 365 Exchange Mailbox Authentication Events
665717e8-a975-11ea-bb37-0242ac130002 Microsoft Office 365 ExchangeCommunicationComplianceEvents
3ff36059-f6f2-48aa-a88c-ef4485e7b151 Microsoft Office 365 ExchangeItem Events
57d88cb7-d80d-4e02-b6ab-b4b722529bea Microsoft Office 365 ExchangeItemGroup Events
480af86a-a973-11ea-bb37-0242ac130002 Microsoft Office 365 MailItemsAccessed
18615b96-a972-11ea-bb37-0242ac130002 Microsoft Office 365 MicrosoftForms
8ab7c22e-a0a6-432c-b031-4dc3f325188c Microsoft Office 365 MicrosoftStream Events
09b8843d-a2dc-4f1b-8562-7a3a8b3760b2 Microsoft Office 365 PowerApps Events
459c7c66-b87e-48b9-a35b-9315204f9a6c Microsoft Office 365 PowerBI Audit Events
b993e0c4-67c9-4080-8339-1156bca5ef7e Microsoft Office 365 Quarantine
77cf5d4a-8c57-4527-890c-9536e99345de Microsoft Office 365 RecordType 105
0d31d680-6a82-11ea-bc55-0242ac130003 Microsoft Office 365 RecordType 35
5f2f0759-0e26-412a-b5d4-aeeb52a6b9ea Microsoft Office 365 RecordType 37
e4dd1018-6a82-11ea-bc55-0242ac130003 Microsoft Office 365 RecordType 52
c708976b-a216-48a2-a492-d6a7a4fc2529 Microsoft Office 365 RecordType 57
eba2f49f-b86e-4a55-913b-90dc8423f4a1 Microsoft Office 365 RecordType29 Events
cf87663f-bf57-49c2-b0a5-0e1c5e7f50fc Microsoft Office 365 RecordType56 Events
6b98c6bd-0d2b-45ee-8897-ad9e4f146e5f Microsoft Office 365 RecordType64 Events
a00c315a-8806-42f1-8deb-39a85f4d5b7e Microsoft Office 365 RecordType65 Events
729bc327-a065-4fb8-81ed-5bb8f75d7fc2 Microsoft Office 365 RecordType66 Events
3d830705-fc67-45e9-878a-443ed806cf32 Microsoft Office 365 RecordType68 Events
3d305450-6c23-4e0f-b7e1-b1b7a648f0ec Microsoft Office 365 Security Compliance Center EOPCmdlet Events
f35c71f7-eb5e-472a-94a9-9e9965492f1c Microsoft Office 365 SharePoint Events
fc8169ec-a972-11ea-bb37-0242ac130002 Microsoft Office 365 SharePointFieldOperation
df5cf29a-4b96-4ce2-b6ce-9abbf882f86e Microsoft Office 365 SkypeForBusinessCmdlets Events
c3f3c9f3-90f5-4340-823f-7a133a278647 Microsoft Office 365 Sway Events
ca8610b2-185e-4c44-885c-769329fbddc5 Microsoft Office 365 Teams Events
42220608-501e-4a74-ab9b-1b31d5a8a2a5 Microsoft Office 365 Threat Intelligence Atp Content Events
a2bdaf5f-92f8-45f3-be99-eb8fa34d26a7 Microsoft Office 365 Threat Intelligence Events
ab4d40ab-4286-4db5-b0ec-e26cd4172f19 Microsoft Office 365 Threat Intelligence Url Events
b3ff45ad-e402-43c0-8406-f44441c226f2 Microsoft Office 365 Yammer Events
5792195e-5a2a-487c-a71f-63becfe8895f Office 365 - Compliance DLP Exchange Item Events
625e3844-5ff4-4c3c-aab7-7c2dffcba260 Office 365 - Compliance DLP SharePoint
88466900-6cf8-4497-812e-a5ed70343885 Office 365 - Exchange Admin Events
80f366f7-9fd9-4097-86d5-eb908a1b9912 Office 365 - MicrosoftFlow
46be6981-3d59-47cc-b358-a091280a0af5 Office 365 - Security Compliance Alerts
5c55809d-b468-4543-b4ed-4c310d4034e8 Office 365 - Security Compliance Insights