This detection rule identifies audit logs from Microsoft 365 that are generated due to Threat Intelligence signals by Microsoft Defender for Office 365. These signals could be associated with various services, including Exchange Online, SharePoint Online, OneDrive for Business, among others. The detection mechanism uses KQL (Kusto Query Language) to filter events from the 'o365.audit' dataset where the event provider is classified under 'ThreatIntelligence'. It specifically targets events within the last nine months and can generate a maximum of 1000 signals. The rule is tagged with different domains and data sources related to cloud services, Microsoft 365 audit logs, and threat intelligence. The severity of alerts generated by this rule is classified as medium, which indicates a notable risk level that requires attention, though false positives may occur if legitimate user activities are incorrectly flagged as threats. For troubleshooting, additional documentation is provided. The rule aligns with the MITRE ATT&CK framework and specifically references the Phishing technique under the Initial Access tactic, which highlights the relevance of the detected signals to potential phishing attacks that could lead to unauthorized access.