| AIR investigation actions insight |
InitialAccess |
CloudAppEvents |
| ATP policy status check |
DefenseEvasion |
CloudAppEvents |
| Account Brute Force |
- |
DeviceLogonEvents |
| Account Creation |
- |
DeviceProcessEvents |
| Admin Submission Trend (FN) |
InitialAccess |
CloudAppEvents |
| Admin Submission Trend (FP) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Detection Type |
InitialAccess |
CloudAppEvents |
| Admin Submissions by DetectionMethod (Phish FP) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by DetectionMethod (Spam FP) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Grading verdict (FN-FP) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Submission State (FN) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Submission State (FP) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Submission Type (FN) |
InitialAccess |
CloudAppEvents |
| Admin Submissions by Submission Type (FP) |
InitialAccess |
CloudAppEvents |
| Alerts Related to Log4j Vulnerability |
InitialAccess |
Internal use:
AlertInfo |
| Anomalous Payload Delivered from ISO files |
Execution |
DeviceEvents
DeviceProcessEvents |
| Appspot Phishing Abuse |
InitialAccess |
EmailUrlInfo |
| Appspot Phishing Abuse |
InitialAccess |
EmailUrlInfo |
| Attacked more than x times average |
InitialAccess |
EmailEvents |
| Audit Email Preview-Download action |
PrivilegeEscalation |
CloudAppEvents |
| Authentication failures by time and authentication type |
InitialAccess |
EmailEvents |
| Automated email notifications and suspicious sign-in activity |
InitialAccess |
AADSignInEventsBeta
EmailEvents |
| BEC - File sharing tactics - Dropbox |
LateralMovement |
CloudAppEvents |
| BEC - File sharing tactics - OneDrive or SharePoint |
LateralMovement |
CloudAppEvents |
| Bad email percentage of Inbound emails |
InitialAccess |
EmailEvents |
| Bitsadmin Activity |
Persistence, CommandAndControl, Exfiltration |
DeviceProcessEvents |
| Blocked Clicks Trend ⚠️ |
InitialAccess |
UrlClickEvents |
| Bulk Emails by Sender Bulk Complaint level |
InitialAccess |
EmailEvents |
| C2-NamedPipe |
CommandAndControl |
DeviceEvents |
| Calculate overall MDO efficacy |
InitialAccess |
CloudAppEvents
EmailEvents
EmailPostDeliveryEvents |
| Campaign with randomly named attachments |
InitialAccess |
EmailAttachmentInfo |
| Campaign with suspicious keywords |
InitialAccess |
EmailEvents |
| Check for multiple signs of Ransomware Activity |
Execution, Impact, Exfiltration |
DeviceProcessEvents |
| Clear System Logs |
DefenseEvasion |
DeviceProcessEvents |
| Clearing of forensic evidence from event logs using wevtutil |
DefenseEvasion |
DeviceProcessEvents |
| CompAuth Failure Trend |
InitialAccess |
EmailEvents |
| Credential Harvesting Using LaZagne |
CredentialAccess |
DeviceProcessEvents |
| Custom detection-Emails with QR from non-prevalent senders |
InitialAccess |
EmailEvents
EmailUrlInfo |
| DKIM Failure Trend |
InitialAccess |
EmailEvents |
| DLLHost.exe WMIC domain discovery |
Reconnaissance |
DeviceProcessEvents |
| DMARC Failure Trend |
InitialAccess |
EmailEvents |
| Deimos Component Execution |
Execution, Collection, Exfiltration, Impact |
DeviceEvents |
| Deletion of data on multiple drives using cipher exe |
Impact |
DeviceProcessEvents |
| Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities |
Execution |
DeviceTvmSoftwareVulnerabilitiesKB |
| Detect MaiSniper |
InitialAccess, CredentialAccess, Collection, Exfiltration |
DeviceNetworkEvents
DeviceProcessEvents |
| Detect Malicious use of MSIExec |
Execution, PrivilegeEscalation, CredentialAccess |
DeviceProcessEvents |
| Detect Malicious use of Msiexec Mimikatz |
Execution, CredentialAccess, PrivilegeEscalation |
DeviceProcessEvents |
| Detect Potential kerberoast Activities |
LateralMovement |
IdentityLogonEvents |
| Detect Suspicious Commands Initiated by Webserver Processes |
Execution, DefenseEvasion, Discovery |
DeviceProcessEvents |
| Detect Suspicious Mshta Usage |
Execution |
DeviceProcessEvents |
| Detections by detection methods |
InitialAccess |
EmailEvents |
| Determine Successfully Delivered Phishing Emails by top IP Addresses |
InitialAccess |
EmailEvents |
| Determine Successfully Delivered Phishing Emails to Inbox/Junk folder. |
InitialAccess |
EmailEvents |
| Devices with Log4j vulnerability alerts and additional other alert related context |
InitialAccess, Execution |
Internal use:
AlertInfo |
| Disabling Services via Registry |
DefenseEvasion |
DeviceProcessEvents |
| Display Name - Spoof and Impersonation |
InitialAccess |
EmailEvents |
| Doppelpaymer Stop Services |
Execution, DefenseEvasion |
DeviceProcessEvents |
| DopplePaymer Procdump |
CredentialAccess |
DeviceProcessEvents |
| Dropping Payload via certutil |
InitialAccess, DefenseEvasion |
DeviceFileEvents |
| Email Top 10 Domains sending Spam |
InitialAccess |
EmailEvents |
| Email Top 10 Targeted Users (Spam) |
InitialAccess |
EmailEvents |
| Email Top 15 Domains sending Spam with Additional Details |
InitialAccess |
EmailEvents |
| Email Top 15 Targeted Users (Spam) with Additional Details |
InitialAccess |
EmailEvents |
| Email Top Domains sending Malware |
InitialAccess |
EmailEvents |
| Email Top Domains sending Phish |
InitialAccess |
EmailEvents |
| Email bombing attacks |
Initial access |
EmailEvents |
| Email containing malware accessed on a unmanaged device |
Execution |
AADSignInEventsBeta
CloudAppEvents
EmailPostDeliveryEvents |
| Email containing malware sent by an internal sender |
LateralMovement |
EmailAttachmentInfo
EmailEvents |
| Email malware detection report |
InitialAccess |
EmailEvents |
| Email sender IP address Geo location information |
InitialAccess |
EmailEvents |
| Emails containing links to IP addresses |
InitialAccess |
EmailUrlInfo |
| Emails delivered having URLs from QR codes |
InitialAccess |
EmailEvents |
| Emails with QR codes and suspicious keywords in subject |
InitialAccess |
EmailEvents |
| Emails with QR codes from non-prevalent sender |
InitialAccess |
EmailEvents |
| End user malicious clicks |
InitialAccess |
UrlClickEvents |
| Enumeration of Users & Groups for Lateral Movement |
- |
DeviceProcessEvents |
| Expanding recipients into separate rows |
InitialAccess |
MessageEvents |
| External malicious Teams messages sent from internal senders |
InitialAccess |
MessageEvents |
| File Malware Detection Trend |
InitialAccess |
CloudAppEvents |
| File Malware by Top Malware Families (Anti Virus) |
InitialAccess |
CloudAppEvents |
| File Malware by Top Malware Families (Safe Attachments) |
InitialAccess |
CloudAppEvents |
| Files Copied to USB Drives |
Exfiltration |
DeviceEvents
DeviceFileEvents |
| Files share contents and suspicious sign-in activity |
InitialAccess |
AADSignInEventsBeta
EmailEvents |
| Good emails from senders with bad patterns |
InitialAccess |
EmailEvents |
| Group quarantine release |
InitialAccess |
CloudAppEvents |
| High Confidence Phish Released |
InitialAccess |
CloudAppEvents
EmailEvents |
| Hunt for Admin email access |
PrivilegeEscalation |
CloudAppEvents |
| Hunt for TABL changes |
DefenseEvasion |
CloudAppEvents |
| Hunt for email bombing attacks |
InitialAccess |
EmailEvents |
| Hunt for email conversation take over attempts |
InitialAccess |
EmailEvents |
| Hunt for malicious URLs using external IOC source |
InitialAccess |
EmailUrlInfo |
| Hunt for malicious attachments using external IOC source |
InitialAccess |
EmailAttachmentInfo |
| Hunt for malicious messages using External Threat Intelligence |
InitialAccess |
MessageUrlInfo |
| Hunting for sender patterns |
InitialAccess |
EmailAttachmentInfo
EmailEvents |
| Hunting for user signals-clusters |
InitialAccess |
EmailEvents |
| Imminent Ransomware |
DefenseEvasion |
DeviceProcessEvents |
| Impersonation Detections Trend |
InitialAccess |
EmailEvents |
| Impersonation Detections by Detection Technology |
InitialAccess |
EmailEvents |
| Impersonation Detections by Detection Technology Trend |
InitialAccess |
EmailEvents |
| Inbound Teams messages by sender domains |
DefenseEvasion |
MessageEvents |
| Inbound emails with QR code URLs |
InitialAccess |
EmailEvents |
| Inbox rule changes which forward-redirect email |
Persistence |
CloudAppEvents |
| JNLP-File-Attachment |
InitialAccess |
EmailAttachmentInfo |
| Java Executing cmd to run Powershell |
Execution |
DeviceProcessEvents |
| Judgement Panda Exfil Activity |
Collection |
DeviceProcessEvents |
| LSASS Credential Dumping with Procdump |
CredentialAccess |
DeviceProcessEvents |
| LaZagne Credential Theft |
CredentialAccess |
DeviceProcessEvents |
| LemonDuck Registration Function |
Execution, Persistence, LateralMovement, CommandAndControl |
DeviceEvents |
| Listing Email Remediation Actions via Explorer |
InitialAccess |
EmailEvents |
| Local Admin Group Changes |
Persistence |
DeviceEvents
Internal use:
IdentityInfo |
| Local time to UTC time conversion |
InitialAccess |
EmailEvents |
| MDO Threat Protection Detections trend over time |
InitialAccess |
CloudAppEvents
EmailEvents
EmailPostDeliveryEvents |
| MDO daily detection summary report |
InitialAccess |
CloudAppEvents
EmailEvents
EmailPostDeliveryEvents
Internal use:
AlertEvidence |
| MDO_CountOfRecipientsEmailaddressbySubject |
InitialAccess |
EmailEvents |
| MDO_CountOfSendersEmailaddressbySubject |
InitialAccess |
EmailEvents |
| MDO_Countofrecipientsemailaddressesbysubject |
InitialAccess |
EmailEvents |
| MDO_SummaryOfSenders |
InitialAccess |
EmailEvents |
| MDO_URLClickedinEmail |
InitialAccess |
UrlClickEvents |
| MITRE - Suspicious Events |
- |
DeviceProcessEvents |
| Mail item accessed |
InitialAccess |
CloudAppEvents |
| Mail reply to new domain |
InitialAccess |
EmailEvents |
| Mailflow by directionality |
InitialAccess |
EmailEvents |
| Malicious Clicks allowed (click-through) |
InitialAccess |
UrlClickEvents |
| Malicious Emails with QR code Urls |
InitialAccess |
EmailEvents
EmailUrlInfo |
| Malicious Teams messages by URL detection methods |
DefenseEvasion |
MessageEvents |
| Malicious Teams messages received from external senders |
InitialAccess |
MessageEvents |
| Malicious URL Clicks by workload ⚠️ |
InitialAccess |
UrlClickEvents |
| Malicious Use of MSBuild as LOLBin |
CommandAndControl |
DeviceProcessEvents |
| Malicious email senders |
InitialAccess |
EmailEvents |
| Malicious emails detected per day |
InitialAccess |
EmailEvents |
| Malicious mails by sender IPs |
InitialAccess |
EmailEvents |
| Malware Detections Trend |
InitialAccess |
EmailEvents |
| Malware Detections by Detection technology |
InitialAccess |
EmailEvents |
| Malware Detections by Detection technology Trend |
InitialAccess |
EmailEvents |
| Malware Detections by delivery location |
InitialAccess |
EmailEvents |
| Malware detections by Workload Locations |
InitialAccess |
CloudAppEvents |
| Malware detections by Workload Type |
InitialAccess |
CloudAppEvents |
| Message from an Accepted Domain with DMARC TempError |
InitialAccess |
EmailEvents |
| Message with URL listed on OpenPhish delivered into Inbox |
InitialAccess |
EmailUrlInfo |
| Microsoft Teams chat initiated by a suspicious external user |
InitialAccess |
Internal use:
AlertInfo |
| MosaicLoader |
CommandAndControl |
DeviceRegistryEvents |
| New TABL Items |
DefenseEvasion |
CloudAppEvents |
| Number of unique accounts performing Teams message Admin submissions |
InitialAccess |
CloudAppEvents |
| Number of unique accounts performing Teams message User submissions |
InitialAccess |
CloudAppEvents |
| Office Apps Launching Wscipt |
LateralMovement, Collection, CommandAndControl |
DeviceProcessEvents |
| Personalized campaigns based on the first few keywords |
InitialAccess |
EmailEvents |
| Personalized campaigns based on the last few keywords |
InitialAccess |
EmailEvents |
| Phish Detections (High) by delivery location |
InitialAccess |
EmailEvents |
| Phish Detections (Normal) by delivery location |
InitialAccess |
EmailEvents |
| Phish Detections Trend |
InitialAccess |
EmailEvents |
| Phish Detections by Detection technology |
InitialAccess |
EmailEvents |
| Phish Detections by Detection technology Trend |
InitialAccess |
EmailEvents |
| Phish Detections by delivery location trend |
InitialAccess |
EmailEvents |
| PhishingEmailUrlRedirector (1) |
InitialAccess |
EmailUrlInfo |
| Possible Teams phishing activity |
InitialAccess |
DeviceProcessEvents |
| Possible device code phishing attempts |
InitialAccess |
AADSignInEventsBeta
UrlClickEvents |
| Possible partner impersonation in external Team messages |
DefenseEvasion |
MessageEvents |
| Post Delivery Events by Admin |
InitialAccess |
EmailPostDeliveryEvents |
| Post Delivery Events by Location |
InitialAccess |
EmailPostDeliveryEvents |
| Post Delivery Events by ZAP type |
InitialAccess |
EmailPostDeliveryEvents |
| Post Delivery Events over time |
InitialAccess |
EmailPostDeliveryEvents |
| Potential OAuth phishing email delivered into Inbox |
InitialAccess |
EmailUrlInfo |
| Potential Ransomware activity related to Cobalt Strike |
Execution, Persistence |
Internal use:
AlertInfo |
| Potentially malicious URL click in Teams |
InitialAccess |
MessagePostDeliveryEvents |
| Potentially malicious svg file delivered to Inbox |
InitialAccess |
EmailAttachmentInfo |
| PowerShell Downloads |
Execution |
DeviceProcessEvents |
| PowerShell adding exclusion path for Microsoft Defender of ProgramData |
DefenseEvasion |
DeviceProcessEvents |
| PrintNightmare CVE-2021-1675 usage Detection |
PrivilegeEscalation, LateralMovement, Execution |
DeviceFileEvents |
| Punycode lookalikes |
InitialAccess |
EmailEvents
EmailUrlInfo
MessageEvents
MessageUrlInfo |
| Qakbot Campaign Self Deletion |
DefenseEvasion |
DeviceProcessEvents |
| Qakbot Discovery Activies |
DefenseEvasion, Discovery, Execution |
DeviceProcessEvents |
| Qakbot Reconnaissance Activities |
Discovery |
DeviceProcessEvents |
| Quarantine Phish Reason |
InitialAccess |
EmailEvents |
| Quarantine Phish Reason trend |
InitialAccess |
EmailEvents |
| Quarantine Release Email Details |
InitialAccess |
CloudAppEvents
EmailEvents |
| Quarantine Spam Reason |
InitialAccess |
EmailEvents |
| Quarantine Spam Reason trend |
InitialAccess |
EmailEvents |
| Quarantine release trend |
InitialAccess |
CloudAppEvents |
| Quarantine releases by Detection Types |
InitialAccess |
EmailEvents
EmailPostDeliveryEvents |
| Rare Domains in External Teams Messages |
InitialAccess, Execution |
MessageEvents
MessageUrlInfo
UrlClickEvents |
| Rare Process as a Service |
Persistence |
DeviceFileEvents
DeviceImageLoadEvents
DeviceNetworkEvents
DeviceProcessEvents |
| Recon with Rundll |
Discovery, Collection, CommandAndControl |
DeviceNetworkEvents |
| Regsvr32 Rundll32 Image Loads Abnormal Extension |
DefenseEvasion |
DeviceImageLoadEvents
DeviceNetworkEvents |
| Regsvr32 Rundll32 with Anomalous Parent Process |
DefenseEvasion |
DeviceNetworkEvents
DeviceProcessEvents |
| Remote File Creation with PsExec |
LateralMovement |
DeviceFileEvents |
| Risky sign-in attempt from a non-managed device |
InitialAccess |
AADSignInEventsBeta |
| Robbinhood Driver |
Execution, DefenseEvasion |
DeviceFileEvents |
| SAM Name Change CVE-2021-42278 |
PrivilegeEscalation, Vulnerability |
IdentityDirectoryEvents |
| SPF Failure Trend |
InitialAccess |
EmailEvents |
| Safe Attachments detections |
InitialAccess |
EmailEvents |
| SafeLinks URL detections |
InitialAccess |
EmailEvents |
| Scheduled Task Creation |
Persistence |
DeviceEvents |
| Sender recipient contact establishment |
InitialAccess |
EmailEvents |
| Service Accounts Performing Remote PS |
LateralMovement |
- |
| Shadow Copy Deletions |
Impact |
DeviceProcessEvents |
| Snip3 Malicious Network Connectivity |
CommandAndControl, Exfiltration |
DeviceNetworkEvents |
| Spam Detections (High) by delivery location |
InitialAccess |
EmailEvents |
| Spam Detections (Normal) by delivery location |
InitialAccess |
EmailEvents |
| Spam Detections by Detection technology |
InitialAccess |
EmailEvents |
| Spam and Phish allowed to inbox by Admin Overrides |
InitialAccess |
EmailEvents |
| Spam and Phish allowed to inbox by User Overrides |
InitialAccess |
EmailEvents |
| Spam detection by IP and its location |
InitialAccess |
EmailEvents |
| Spam detection by delivery location |
InitialAccess |
EmailEvents |
| Spam detection technologies |
InitialAccess |
EmailEvents |
| Spam detection trend |
InitialAccess |
EmailEvents |
| Spoof Detections Trend |
InitialAccess |
EmailEvents |
| Spoof Detections by Detection Technology |
InitialAccess |
EmailEvents |
| Spoof Detections by Detection Technology Trend |
InitialAccess |
EmailEvents |
| Spoof and impersonation detections by sender IP |
InitialAccess |
EmailEvents |
| Spoof and impersonation phish detections |
InitialAccess |
EmailEvents |
| Spoof attempts with auth failure |
InitialAccess |
EmailEvents |
| Spoofing attempts from Specific Domains |
InitialAccess |
EmailEvents |
| Spoolsv Spawning Rundll32 |
PrivilegeEscalation, Execution |
DeviceProcessEvents |
| Stopping multiple processes using taskkill |
DefenseEvasion |
DeviceProcessEvents |
| Suspicious DLLs in spool Folder |
PrivilegeEscalation, Execution |
DeviceFileEvents |
| Suspicious Files in spool Folder |
PrivilegeEscalation, Execution |
DeviceFileEvents |
| Suspicious Image Load related to IcedId |
Execution, DefenseEvasion |
DeviceImageLoadEvents |
| Suspicious Spoolsv Child Process |
PrivilegeEscalation, Execution |
DeviceImageLoadEvents |
| Suspicious Teams Display Name |
InitialAccess |
MessageEvents |
| Suspicious Tomcat Confluence Process Launch |
Execution, PrivilegeEscalation |
DeviceProcessEvents |
| Suspicious sign-in attempts from QR code phishing campaigns |
InitialAccess |
AADSignInEventsBeta
CloudAppEvents |
| Teams Admin submission of Malware and Phish daily trend |
DefenseEvasion |
CloudAppEvents |
| Teams Admin submission of No Threats daily trend |
DefenseEvasion |
CloudAppEvents |
| Teams Admin-User Submissions Grading Verdicts |
InitialAccess |
CloudAppEvents |
| Teams Malware ZAP |
InitialAccess |
MessagePostDeliveryEvents |
| Teams Message with URL listed on OpenPhish |
InitialAccess |
MessageUrlInfo |
| Teams Phish ZAP |
InitialAccess |
MessagePostDeliveryEvents |
| Teams Spam ZAP |
InitialAccess |
MessagePostDeliveryEvents |
| Teams URL clicks actions summarized by URLs clicked on |
InitialAccess |
UrlClickEvents |
| Teams URL clicks through actions on Phish or Malware URLs summarized by URLs |
InitialAccess |
UrlClickEvents |
| Teams User submissions daily trend |
InitialAccess |
CloudAppEvents |
| Teams blocked URL clicks daily trend |
InitialAccess |
UrlClickEvents |
| Teams communication from suspicious external users |
InitialAccess |
MessageEvents |
| Teams communication to suspicious external users |
InitialAccess |
MessageEvents |
| Teams message ZAPed with the same URL in Email |
InitialAccess |
MessagePostDeliveryEvents |
| Teams messages from a specific sender by ThreadType |
InitialAccess |
MessageEvents |
| Teams messages with suspicious URL domains |
InitialAccess |
MessageUrlInfo |
| Teams post delivery events daily trend |
InitialAccess |
MessagePostDeliveryEvents |
| Teams users clicking on suspicious URL domains |
InitialAccess |
MessageUrlInfo |
| Top 10 Attacked user by Phish messages |
InitialAccess |
MessageEvents |
| Top 10 Detection Overrides - Admin Email Submissions (FN) |
InitialAccess |
CloudAppEvents |
| Top 10 Domains sending Malicious Emails (Malware+Phish+Spam) |
InitialAccess |
EmailEvents |
| Top 10 External Senders (Malware) |
InitialAccess |
EmailEvents |
| Top 10 External Senders (Phish) |
InitialAccess |
EmailEvents |
| Top 10 External Senders (Spam) |
InitialAccess |
EmailEvents |
| Top 10 External Senders (Spam) |
InitialAccess |
EmailEvents |
| Top 10 External senders sending Teams phishing messsages |
DefenseEvasion |
MessageEvents |
| Top 10 Targeted Users (Malware+Phish+Spam) |
InitialAccess |
EmailEvents |
| Top 10 URL domains attacking organization |
InitialAccess |
EmailEvents |
| Top 10 Users clicking on Malicious URLs (Malware) |
InitialAccess |
UrlClickEvents |
| Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam) |
InitialAccess |
UrlClickEvents |
| Top 10 Users clicking on Malicious URLs (Phish) |
InitialAccess |
UrlClickEvents |
| Top 10 Users clicking on Malicious URLs (Spam) |
InitialAccess |
UrlClickEvents |
| Top 10 Users clicking on malicious URLs in Teams |
InitialAccess |
UrlClickEvents |
| Top 10 domains sending Bulk email |
InitialAccess |
EmailEvents |
| Top 10 external senders sending Teams messages |
DefenseEvasion |
MessageEvents |
| Top 10 sender domains - Admin Teams message submissions FN |
InitialAccess |
CloudAppEvents |
| Top 10 sender domains - Admin email submissions (FN) |
InitialAccess |
CloudAppEvents |
| Top 10 sender domains - Admin email submissions (FP) |
InitialAccess |
CloudAppEvents |
| Top 10 sender domains - Teams user submissions FN or FP |
InitialAccess |
CloudAppEvents |
| Top 10 senders - Teams users submissions FN or FP |
InitialAccess |
CloudAppEvents |
| Top 10 senders of Admin Teams message submissions FN |
InitialAccess |
CloudAppEvents |
| Top 10 senders of Admin Teams message submissions FP |
InitialAccess |
CloudAppEvents |
| Top 10% of most attacked users |
InitialAccess |
EmailEvents |
| Top 100 malicious email senders |
InitialAccess |
EmailEvents |
| Top 100 senders |
InitialAccess |
EmailEvents |
| Top Domains Outbound with Emails with Threats Inbound (Partner BEC) |
InitialAccess |
EmailEvents |
| Top External Sender domains - Malware |
InitialAccess |
MessageEvents |
| Top External Sender domains - Phish |
InitialAccess |
MessageEvents |
| Top External Sender domains - Spam |
InitialAccess |
MessageEvents |
| Top External malicious Senders |
InitialAccess |
MessageEvents |
| Top Malware Families |
InitialAccess |
EmailEvents |
| Top Spoof DMARC detections by Sender domain (P1/P2) |
InitialAccess |
EmailEvents |
| Top Spoof external domain detections by Sender domain (P1/P2) |
InitialAccess |
EmailEvents |
| Top Spoof intra-org detections by Sender domain (P1/P2) |
InitialAccess |
EmailEvents |
| Top Users receiving Malware |
InitialAccess |
EmailEvents |
| Top Users receiving Phish |
InitialAccess |
EmailEvents |
| Top accounts performing Teams admin submissions FN or FP |
InitialAccess |
CloudAppEvents |
| Top accounts performing Teams user submissions FN or FP |
InitialAccess |
CloudAppEvents |
| Top accounts performing admin submissions (FN) |
InitialAccess |
CloudAppEvents |
| Top accounts performing admin submissions (FP) |
InitialAccess |
CloudAppEvents |
| Top accounts performing user submissions |
InitialAccess |
CloudAppEvents |
| Top domains outbound sending Malicious Teams messages inbound |
InitialAccess |
MessageEvents |
| Top external malicious senders |
InitialAccess |
EmailEvents |
| Top malicious URLs clicked by users in Teams |
InitialAccess |
UrlClickEvents |
| Top outbound recipient domains sending inbound emails with threats |
InitialAccess |
EmailEvents |
| Top policies performing admin overrides |
InitialAccess |
EmailEvents |
| Top policies performing user overrides |
InitialAccess |
EmailEvents |
| Top targeted users |
InitialAccess |
EmailEvents |
| Total Emails with Admin Overrides (Allow) |
InitialAccess |
EmailEvents |
| Total Emails with Admin Overrides (Block) |
InitialAccess |
EmailEvents |
| Total Emails with User Overrides (Allow) |
InitialAccess |
EmailEvents |
| Total Emails with User Overrides (Block) |
InitialAccess |
EmailEvents |
| Total Submissions by Submission Type |
InitialAccess |
CloudAppEvents |
| Total Submissions by Submission Type |
InitialAccess |
CloudAppEvents |
| Total number of MDO Teams protection detections daily |
DefenseEvasion |
MessageEvents |
| Total number of detections by MDO |
InitialAccess |
CloudAppEvents
EmailEvents
EmailPostDeliveryEvents |
| Turning off services using sc exe |
DefenseEvasion |
DeviceProcessEvents |
| URL Click attempts by threat type |
InitialAccess |
UrlClickEvents |
| URL Clicks by Action |
InitialAccess |
UrlClickEvents |
| URL click count by click action |
InitialAccess |
UrlClickEvents |
| URL click on URLs in ZAP-d Teams messages |
InitialAccess |
MessagePostDeliveryEvents |
| URL click on ZAP email |
InitialAccess |
Internal use:
AlertEvidence
AlertInfo |
| URL clicks actions by URL |
InitialAccess |
UrlClickEvents |
| URLClick details based on malicious URL click alert |
InitialAccess |
Internal use:
AlertEvidence
AlertInfo |
| URLs by location |
InitialAccess |
EmailUrlInfo |
| Unusual Volume of file deletion by users |
Impact |
CloudAppEvents
SigninLogs |
| User Email Submission Trend (FN) |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN) - Top Detection Overrides by Admins |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN) - Top Detection Overrides by Users |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN) - Top Inbound P2 Senders |
InitialAccess |
EmailEvents |
| User Email Submissions (FN) - Top Inbound P2 Senders domains |
InitialAccess |
EmailEvents |
| User Email Submissions (FN) - Top Intra-Org P2 Senders |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN) - Top Intra-Org Subjects |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN) by Submission Type |
InitialAccess |
CloudAppEvents |
| User Email Submissions (FN-FP) by Grading verdict |
InitialAccess |
CloudAppEvents |
| User Email Submissions accuracy vs Admin review verdict |
InitialAccess |
CloudAppEvents |
| User Email Submissions by Admin review status (Mark and Notify) |
InitialAccess |
CloudAppEvents |
| User clicked through events |
InitialAccess |
UrlClickEvents |
| User clicks on malicious inbound emails |
InitialAccess |
EmailEvents
UrlClickEvents |
| User clicks on phishing URLs in emails |
InitialAccess |
UrlClickEvents |
| User email submissions (FN) from Junk Folder |
InitialAccess |
CloudAppEvents |
| User not covered under display name impersonation |
InitialAccess |
Internal use:
IdentityInfo |
| User reported submissions |
InitialAccess |
CloudAppEvents |
| Webserver Executing Suspicious Applications |
Execution |
DeviceProcessEvents |
| Windows Print Spooler Service Suspicious File Creation |
PrivilegeEscalation, LateralMovement |
DeviceFileEvents |
| Zero day threats |
InitialAccess |
EmailEvents |
| Zero-day Malware Detections Trend |
InitialAccess |
EmailEvents |
| Zero-day Phish Detections Trend |
InitialAccess |
EmailEvents |
| referral-phish-emails |
InitialAccess |
EmailEvents |
