Name:O365 Safe Links Detection id:711d9e8c-2cb0-45cf-8813-5f191ecb9b26 version:2 date:2024-09-30 author:Steven Dick status:production type:TTP Description:The following analytic detects when any Microsoft Safe Links alerting is triggered. This behavior may indicate when user has interacted with a phishing or otherwise malicious link within the Microsoft Office ecosystem. Data_source:
-O365 Universal Audit Log
search:`o365_management_activity` Name="*a potentially malicious URL*" Operation=AlertEntityGenerated | fromjson Data | stats count min(_time) as firstTime max(_time) as lastTime values(ObjectId) as url values(od) as desc by AlertId,trc,Operation,Name,ot | rename Name as signature, AlertId as signature_id, trc as user,ot as action | eval action = CASE(action == "Allowed", "allowed", action=="BlockPageOverride", "allowed", true(),"blocked") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_safe_links_detection_filter`
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The Safe Links capability must be configured and is typically only available to E3/E5 level customers. known_false_positives:Based on Safe Links policies, may vary. References: -https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide -https://attack.mitre.org/techniques/T1566/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Account Takeover' - 'Spearphishing Attachments' asset_type:O365 Tenant confidence:100 impact:40 message:$user$ triggered a Microsoft Safe Links detection. mitre_attack_id: - 'T1566' - 'T1566.001' observable: name:'user' type:'User' - role: - 'Victim' name:'url' type:'URL String' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'AlertId' - 'Operation' - 'Name' - 'AlertId' - 'trc' - 'ot' risk_score:40 security_domain:threat
