This analytic rule identifies the detection of malicious files within the Microsoft Office 365 ecosystem, leveraging the Advanced Threat Protection (ATP) engine's capabilities. The ATP engine monitors activities in Office 365 and generates alerts for any identified threats, including malicious files that could be executed or staged within the ecosystem. Such threats may leverage legitimate Office 365 functionalities, making detection crucial to prevent exploitation. Organizations utilizing Microsoft Office 365, especially with premium ATP features like Safe Attachment and Safe Links, can enhance their ability to identify and respond to these malicious activities effectively. The rule employs a search in the Office 365 Universal Audit Log to collect data about detected threats, providing details such as the file name, file path, size, and the method of detection. The implementation requires using the Splunk Microsoft Office 365 Add-on, with visibility typically limited to E3/E5 customers due to the nature of the threat intelligence data. Additionally, there are drilldown options to view user-specific detection results and risk events over the past week, which further assists in incident response and threat management.