The O365 ZAP Activity Detection rule is designed to monitor and identify instances when Microsoft's Zero-hour Automatic Purge (ZAP) function activates to remove malicious emails from users' mailboxes. The ZAP feature retroactively eliminates emails containing known malicious content, thereby mitigating threats that may have already been delivered to user inboxes. Given that this function performs retroactive actions, there's an inherent risk period during which users may unknowingly encounter malicious content. This rule leverages the O365 Universal Audit Log and utilizes specific Search Query Language commands to aggregate and analyze data regarding detected alert entities related to potentially harmful messages. By tracking operations connected to the ZAP feature, this rule effectively generates alerts and logs activity linked to user accounts involved in such incidents. The implementation of this detection rule necessitates the integration of the Splunk Microsoft Office 365 Add-on to ensure comprehensive data ingestion from O365 management activities, particularly for tenants with E3 or E5 licenses, where ZAP features are fully available. Effective risk assessment is performed, and the rule is capable of generating actionable insights to enhance the security posture of O365 environments.