Name:O365 Security And Compliance Alert Triggered id:5b367cdd-8dfc-49ac-a9b7-6406cf27f33e version:7 date:2025-02-10 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic identifies alerts triggered by the Office 365 Security and Compliance Center, indicating potential threats or policy violations. It leverages data from the `o365_management_activity` dataset, focusing on events where the workload is SecurityComplianceCenter and the operation is AlertTriggered. This activity is significant as it highlights security and compliance issues within the O365 environment, which are crucial for maintaining organizational security. If confirmed malicious, these alerts could indicate attempts to breach security policies, leading to unauthorized access, data exfiltration, or other malicious activities. Data_source:
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. known_false_positives:O365 Security and Compliance may also generate false positives or trigger on legitimate behavior, filter as needed. References: -https://attack.mitre.org/techniques/T1078/004/ -https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide -https://learn.microsoft.com/en-us/purview/alert-policies drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Account Takeover' asset_type:O365 Tenant mitre_attack_id: - 'T1078.004' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity