Detecting Office 365 persistent techniques
You manage access to Office 365 resources and services across your organization. More and more companies are using Microsoft's Office 365 cloud offering, and yours is no exception. Attacks against Office 365 are increasing, and as part of your role you need to be able to detect these. These searches help you do this.
Data required
How to use Splunk software for this use case
- Add app role assignment grant user
- Added service principal
- Admin consent bypassed by service principal
- Advanced audit disabled
- Application registration owner added
- Application impersonation role assigned
- Bypass MFA via trusted IP
- Disable MFA
- Elevated mailbox permission assigned
- Emai security feature changed
- Excessive authentication failures alert
- Excessive SSO logon errors
- Full access as app permission assigned
- High privilege role granted
- Mailbox inbox folder shared with all users
- Mailbox read access granted to application
- Multiple service principals created by SP
- Multiple service principals created by user
- New federated domain added
- New MFA method registered
- Privileged graph API permission assigned
- Service principal new client credentials
- Tenant wide admin consent granted
Next steps
In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your cloud security posture, including: