heroui logo

O365 Safe Links Detection

Splunk Security Content

View Source
Summary
The O365 Safe Links Detection rule monitors Microsoft Office 365 environments for alerts triggered by the Safe Links feature. Safe Links is designed to protect users from malicious URL threats by scanning links within emails or documents. When a user interacts with a link that is flagged as potentially malicious, an alert is generated. This detection utilizes the O365 Universal Audit Log to capture relevant activities that indicate user interactions with harmful links. The rule extracts data using a specified search query that filters alerts from management activities, summarizing occurrences and actions taken (allowed or blocked) on the detected URLs. It aims to provide visibility into phishing attempts and other URL manipulation TTPs (Tactics, Techniques, and Procedures). Therefore, implementing this detection method requires correct configuration and data ingestion from the Microsoft Office 365 Add-on in Splunk.
Categories
  • Cloud
  • Web
  • Identity Management
Data Sources
  • Pod
  • Application Log
  • User Account
  • Network Traffic
  • Cloud Service
ATT&CK Techniques
  • T1566
  • T1566.001
Created: 2024-11-14