Office 365

s Office 365

Submit Search

Director v2.6.0

Our new docs portal is user help for our latest product versions. Use the version picker at the top right to view earlier product version user help.

Office 365

LP_Office365 Global Administrator Role Assigned to User
Description	This alert is activated when the Global Administrator role is assigned to a user. Global administrators have almost unlimited access to the organization's settings. Granting too many users the Global Administrator role poses a security risk in any situation. Review all assignments of this highly privileged role in your environment.
Log source	Office365
Value	It is important to keep an eye on users who are assigned the Global Administrator role as attackers use this technique to create persistence in the system.
Rationale	Assignment of the Global Administrator role grants full access to tenant-wide resources. Attackers commonly abuse this technique to establish persistence (T1098) or exploit valid accounts for privilege escalation (T1078). Monitoring and auditing these assignments is essential for controlling the attack surface and mitigating the risk of unauthorized changes. This supports NIST 800-53 AC-2 (Account Management), AC-5 (Separation of Duties), and AU-12 (Audit Generation), as well as ISO/IEC 27001 A.9.2.3 (Management of privileged access rights) and CIS Controls 5 (Account Management) and 4 (Access Control Management).
Query	Copy `col_type=Office365 label=Add label=Role label=User role_name="Global Administrator"`
Comments	-
Type	Alert
MITRE ATT&CK	T1098 – Account Manipulation, T1078 – Valid Accounts

LP_Office365 MailItemAccessed Logging Disabled
Description	This alert is triggered when the 'MailItemAccessed' mailbox auditing action is disabled. The 'MailItemsAccessed' event is a mailbox audit action found in Microsoft Purview Audit Premium and is fired when mail data is accessed by mail protocols and mail clients. compromised.
Log source	Office365
Value	This event can help analysts identify data breaches and determine the extent of messages that may have been compromised
Rationale	"Disabling the 'MailItemsAccessed' audit action hinders visibility into mailbox access events and may indicate an attempt to evade detection following a compromise. This behavior maps to T1562 (Impair Defenses), where adversaries disable security features to avoid being identified during data exfiltration or lateral movement. Maintaining audit logging is critical for incident response and breach impact analysis. This aligns with NIST 800-53 AU-2 (Audit Events), AU-12 (Audit Generation), and IR-5 (Incident Monitoring), ISO/IEC 27001 A.12.4.1 (Event Logging), and CIS Control 8 (Audit Log Management). "
Query	label=Set label=Mailbox audit_enabled=False
Comments	-
Type	Alert
MITRE ATT&CK	T1562 – Impair Defenses

LP_Office365 Malware Detected in OneDrive or SharePoint
Description	This alert is activated when the built-in virus protection in SharePoint Online or OneDrive detects the upload of a malicious file. Note that not all file types are automatically scanned. Heuristics determine which files to scan. Microsoft 365 uses a common virus detection engine to scan files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included in all subscriptions that include SharePoint Online, OneDrive and Microsoft Teams.
Log source	Office365
Value	It is important to have an overview of files that are flagged as malware.
Rationale	This alert indicates detection of malicious files uploaded to cloud storage, often used for initial access or payload staging. Adversaries may rely on social engineering to trick users into executing infected files (T1204) or upload malware for later retrieval and execution (T1105). Monitoring malware uploads helps contain potential threats and supports defense-in-depth strategies. This aligns with NIST 800-53 SI-3 (Malicious Code Protection), SC-7 (Boundary Protection), ISO/IEC 27001 A.12.2.1 (Protection against malware), and CIS Controls 8 (Audit Log Management) and 10 (Malware Defenses).
Query	Copy `col_type=Office365 application IN ["SharePoint", "OneDrive"] action=FileMalwareDetected`
Comments	-
Type	Alert
MITRE ATT&CK	T1204 – User Execution, T1105 – Ingress Tool Transfer

LP_Office365 Security and Compliance Alert related to Data Loss Prevention
Description	This alert is activated when a data loss prevention (DLP) category alert policy is activated in the Compliance Center or Microsoft 365 Security admin center. Office 365 Security and Compliance Alerts monitor key events that occur within the O365 environment. Microsoft offers a number of useful built-in alert policies with the ability to create custom policies.
Log source	Office365
Value	This alert assists in actively monitoring Microsoft security incidents related to DLP.
Rationale	This alert detects Data Loss Prevention (DLP) policy violations, which may indicate attempts to exfiltrate sensitive data via sanctioned or unsanctioned cloud applications (T1537) or by bypassing standard data channels (T1048). Monitoring such violations is essential to prevent data breaches, enforce compliance, and reduce insider threat risk. This supports NIST 800-53 AC-4 (Information Flow Enforcement), SI-4 (System Monitoring), and MP-5 (Media Transport Protection), ISO/IEC 27001 A.13.2.1 (Information transfer policies and procedures), and CIS Controls 13 (Data Protection) and 17 (Incident Response).
Query	Copy `norm_id=Office365 (event_source="Office 365 Security & Compliance" OR event_source="Cloud App Security") category=DataLossPrevention`
Comments	-
Type	Alert
MITRE ATT&CK	T1537 – Transfer Data to Cloud Account, T1048 – Exfiltration Over Alternative Protocol

LP_Office365 Security and Compliance Alert related to Mail Flow
Description	This alert is triggered when a mail flow category alert policy is activated in the Compliance Center or Microsoft 365 Security admin center. Office 365 Security and Compliance Alerts monitor key events that occur within the O365 environment. Microsoft offers a number of useful built-in alert policies with the ability to create custom policies.
Log source	Office365
Value	This alarm may indicate that Microsoft can no longer send email messages to your On-prem email server.
Rationale	This alert monitors mail flow disruptions, which may stem from misconfiguration or malicious interference. An inability to deliver email—especially to On-premises infrastructure—can indicate email routing attacks or manipulation (T1565.001), potentially impacting communication integrity, exfiltration detection, or business operations. Monitoring such anomalies supports rapid response and maintains secure communication channels. This aligns with NIST 800-53 SI-4 (System Monitoring), SC-7 (Boundary Protection), and AU-6 (Audit Review), ISO/IEC 27001 A.13.2.3 (Electronic messaging), and CIS Controls 8 (Audit Log Management) and 13 (Data Protection).
Query	Copy `norm_id=Office365 (event_source="Office 365 Security & Compliance" OR event_source="Cloud App Security" OR application="SecurityComplianceCenter") category=MailFlow`
Comments	-
Type	Alert
MITRE ATT&CK	T1565.001 – Data Manipulation: Email Manipulation

LP_Office365 Security and Compliance Alert related to Threat Management
Description	This alert is triggered when a threat management category alert policy is activated in the Compliance Center or the Microsoft 365 Security admin center. Office 365 Security and Compliance Alerts monitor key events that occur within the O365 environment. Microsoft offers a number of useful built-in alert policies with the ability to create custom policies.
Log source	Office365
Value	May indicate that a user has clicked on a malicious URL, email messages have contained phishing or that email messages have contained a malicious URL.
Query	Copy `norm_id=Office365 (event_source="Office 365 Security & Compliance" OR event_source="Cloud App Security" or application="SecurityComplianceCenter") category=ThreatManagement`
Comments	-
Type	Alert
MITRE ATT&CK	T1566 – Phishing, T1204 – User Execution

Office 365 Dashboards

LP_Office365 Overview
Description	This dashboard provides the overall overview of Office365 data regarding applications such as Sharepoint, Exchange and Onedrive and their operations.
Log source	Office365
Value	Shows trends in your organization for applications in Office365 and most active users.
Widgets / Use cases	1. Top 10 Applications 2. Top 10 Operations 3. Failed Activity by Event Source 4. Successful Activity by Event Source 5. Azure AD Operations 6. Exchange Operations 7. SharePoint Operations 8. One Drive Operations 9. Top 10 Users 10. Top 10 AD Operations 11. Top 10 Exchange Operations 12. Top 10 SharePoint Operations 13. Top 10 OneDrive Operations
Comments	-
Type	Dashboard

LP_Office365 Security and Compliance Alerts
Description	This Dashboard provides an overview of alarms fired from the Office365 Security and Compliance center
Log source	Office365
Value	The overview can help provide an understanding of which users are or have been exposed to attacks and which types of attacks.
Widgets / Use cases	1. Top 10 Alerts Triggered 2. Security and Compliance Alert - Time Trend 3. Top 10 Users in Action 4. Categories of Alert triggered - Time Trend 5. Categories of Alerts Triggered 6. Top 10 Actions 7. Data Governance - List 8. Threat Management - List 9. Data Loss Prevention - List 10. Mail Flow - List 11. Other category - List 12. Access Governance - List
Comments	-
Type	Dashboard

LP_Office365 Azure AD Login Activities
Description	Displays login information from Azure AD, such as login activity, failed logins, top 10 countries with the most failed logins and unique clients.
Log source	Office365
Value	It is important to keep an eye on login trends and activities for Azure AD (Entra) as well as On-prem.
Widgets / Use cases	1. Login Activity Timetrend 2. Failed Logins 3. Top 10 Users in Failed Login 4. Top 10 Failure Reasons 5. Failed Login Details 6. Successful Logins 7. Top 10 Users in Successful Login 8. Top 10 Countries in Successful Login 9. Successful Login Details 10. Unique Clients 11. Top 10 Countries in Failed Logins
Comments	-
Type	Dashboard

LP_Office365 Azure AD User Account Management
Description	Provides an overview of User Account Management for Azure AD (Entra). Such as added accounts, deleted accounts and who performed the actions.
Log source	Office365
Value	This dashboard assists in keeping an eye on the actions that take place in the operation in Azure AD (Entra) and can assist in providing an overview in an audit.
Widgets / Use cases	1. Created Accounts 2. Top 10 Users in Account Creation 3. Deleted Accounts 4. Top 10 Users in Account Deletion 5. Accounts Deleted by Specific Users 6. Top 10 Accounts Created 7. Top 10 Accounts Deleted 8. Activities in User Account Management by action 9. Activities in User Account Management 10. Top 10 Actions in User Account Management 11. Success vs Failure Password Change Attempts 12. Password Change Attempts 13. Success vs Failure Password Set or Reset Attempts 14. Password Set or Reset Attempts 15. More than 3 Failed Password Change Attempts 16. Accounts Created by the Specific User 17. Top 10 Owners Added to Group 18. Owners Added to Group 19. Top 10 Members Added to Group 20. Members Added to Group
Comments	-
Type	Dashboard

Detect.Manage.Respond

Company

Support

Academy/Training

Contact

info@logpoint.com

+45 7060 6100