M365 Threat Intelligence Signal

Last updated 7 days ago on 2025-09-01

Created 20 days ago on 2025-08-19

About

Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365. Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft DefenderData Source: Microsoft Defender Threat IntelligenceUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Phishing (T1566)(opens in a new tab or window)

False Positive Examples

Signals are generated by Microsoft Defender for Office 365. False-positives may occur if legitimate user activity is misclassified as a threat.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365.audit-*
Related Integrations: o365(opens in a new tab or window)
Query

event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"

Install detection rules in Elastic Security

Detect M365 Threat Intelligence Signal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).