Microsoft 365 solution for Sentinel

Solution: Microsoft 365

Microsoft 365 Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com/
Categories domains
Version 3.0.5
Author Microsoft - support@microsoft.com
First Published 2022-05-23
Solution Folder Microsoft 365
Marketplace Azure Marketplace · Popularity: 🟢 High (90%)

The Microsoft 365 solution for Microsoft Sentinel enables you to ingest operational logs from Microsoft 365 (formerly, Office 365) to gain insights into user and admin activity across your collaboration platforms such as Teams, SharePoint and Exchange.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor HTTP Data Collector API

Contents

Data Connectors

This solution provides 1 data connector(s):

Tables Used

This solution uses 3 table(s):

Table Used By Connectors Used By Content
OfficeActivity Microsoft 365 (formerly, Office 365) Analytics, Hunting, Workbooks
Operation - Workbooks
SigninLogs - Hunting

Content Items

This solution includes 40 content item(s) (39 in solution, 1 discovered 🔍):

Content Type Total In Solution Discovered
Hunting Queries 21 21 -
Analytic Rules 16 15 1
Workbooks 3 3 -

Analytic Rules

Name Severity Tactics Tables Used
Accessed files shared by temporary external user Low InitialAccess OfficeActivity
Exchange AuditLog Disabled Medium DefenseEvasion OfficeActivity
Exchange workflow MailItemsAccessed operation anomaly Medium Collection OfficeActivity
External user added and removed in short timeframe Low Persistence OfficeActivity
Mail redirect via ExO transport rule Medium Collection, Exfiltration OfficeActivity
Malicious Inbox Rule Medium Persistence, DefenseEvasion OfficeActivity
Multiple Teams deleted by a single user Low Impact OfficeActivity
Multiple users email forwarded to same destination Medium Collection, Exfiltration OfficeActivity
New executable via Office FileUploaded Operation Low CommandAndControl, LateralMovement OfficeActivity
Office Policy Tampering Medium Persistence, DefenseEvasion OfficeActivity
Office365 Sharepoint File transfer Folders above threshold Medium Exfiltration OfficeActivity
Office365 Sharepoint File transfer above threshold Medium Exfiltration OfficeActivity
Rare and potentially high-risk Office operations Low Persistence, Collection OfficeActivity
SharePointFileOperation via devices with previously unseen user agents Medium Exfiltration OfficeActivity
SharePointFileOperation via previously unseen IPs Medium Exfiltration OfficeActivity

Retired/Deprecated Rules

Name Status Description
Possible Forest Blizzard attempted credential harvesting - Sept 2020 ⚠️ Retired This analytic rule is retired because IoCs are outdated. It is recommended to use Microsoft Entra ID Solution's Analytic rules instead to detect crede...

Hunting Queries

Name Tactics Tables Used
Anomalous access to other users' mailboxes Collection OfficeActivity
Bots added to multiple teams Persistence, Collection OfficeActivity
Exes with double file extension and access summary DefenseEvasion OfficeActivity
External user added and removed in a short timeframe Persistence OfficeActivity
External user from a new organisation added to Teams Persistence OfficeActivity
Files uploaded to teams and access summary InitialAccess, Exfiltration OfficeActivity
Mail redirect via ExO transport rule Collection, Exfiltration OfficeActivity
Multiple Teams deleted by a single user Impact OfficeActivity
Multiple users email forwarded to same destination Collection, Exfiltration OfficeActivity
New Admin account activity seen which was not seen historically PrivilegeEscalation, Collection OfficeActivity
New Windows Reserved Filenames staged on Office file services CommandAndControl OfficeActivity
Non-owner mailbox login activity Collection, Exfiltration OfficeActivity
Office Mail Forwarding - Hunting Version Collection, Exfiltration OfficeActivity
PowerShell or non-browser mailbox login activity Execution, Persistence, Collection OfficeActivity
Previously unseen bot or application added to Teams Persistence, Collection OfficeActivity
SharePointFileOperation via clientIP with previously unseen user agents Exfiltration OfficeActivity
SharePointFileOperation via devices with previously unseen user agents Exfiltration OfficeActivity
SigninLogs
SharePointFileOperation via previously unseen IPs Exfiltration OfficeActivity
SigninLogs
User added to Teams and immediately uploads file InitialAccess OfficeActivity
User made Owner of multiple teams PrivilegeEscalation OfficeActivity
Windows Reserved Filenames staged on Office file services CommandAndControl OfficeActivity

Workbooks

Name Tables Used
ExchangeOnline OfficeActivity
Operation
Office365 OfficeActivity
Operation
SharePointAndOneDrive OfficeActivity
Operation

⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.5 04-02-2025 Updated Analytic Rule MailItemsAccessedTimeSeries.yaml
3.0.4 27-08-2024 Updated Analytic Rule for Same names
3.0.3 12-06-2024 Updated Analytic Rule for Bug Fixes ExternalUserAddedRemovedInTeams.yaml
3.0.2 09-05-2024 Updated Analytic Rule to get expected result and Entity Mapping exchange_auditlogdisabled.yaml and fixed typo description in Analytic Rules ExternalUserAddedRemovedInTeams.yaml
3.0.1 04-01-2024 Updated Analytic Rules, Hunting Queries and Workbook for Bug Fixes
3.0.0 08-08-2023 Renamed Data Connector in the solution to Microsoft 365 (formerly, Office 365) so that the naming aligns in Content Hub and Data Connector gallery.
Updated Hunting Queries to have descriptions that meet the 255 characters limit.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index