Sigma rule references as PDF

microsoft365_activity_by_terminated_user

Title : Activity Performed by Terminated User

Rule id : 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_activity_from_anonymous_ip_addresses

Title : Activity from Anonymous IP Addresses

Rule id : d8b0a4fe-07a8-41be-bd39-b14afa025d95

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_activity_from_infrequent_country

Title : Activity from Infrequent Country

Rule id : 0f2468a2-5055-4212-a368-7321198ee706

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_data_exfiltration_to_unsanctioned_app

Title : Data Exfiltration to Unsanctioned Apps

Rule id : 2b669496-d215-47d8-bd9a-f4a45bf07cda

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_disabling_mfa

Title : Disabling Multi Factor Authentication

Rule id : 60de9b57-dc4d-48b9-a6a0-b39e0469f876

Url	Pdf
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/	pdf/f6dbb4692411cf1ee4894b09929278316a4221ce9931043b304dc46ddbf27ec8.pdf

microsoft365_from_susp_ip_addresses

Title : Activity from Suspicious IP Addresses

Rule id : a3501e8e-af9e-43c6-8cd6-9360bdaae498

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_impossible_travel_activity

Title : Microsoft 365 - Impossible Travel Activity

Rule id : d7eab125-5f94-43df-8710-795b80fa1189

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_logon_from_risky_ip_address

Title : Logon from a Risky IP Address

Rule id : c191e2fa-f9d6-4ccf-82af-4f2aba08359f

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_new_federated_domain_added_audit

Title : New Federated Domain Added

Rule id : 58f88172-a73d-442b-94c9-95eaed3cbb36

Url	Pdf
https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/	pdf/60a1c28926f2e6bdda90819dcba138101802f4e0db7dd95151b2e6fe1cfbdd69.pdf
https://o365blog.com/post/aadbackdoor/	pdf/d3bb5f6cabc468d0f7bc87673343ba23d0e57545763ba4f5a782738cf87d1377.pdf

microsoft365_new_federated_domain_added_exchange

Title : New Federated Domain Added - Exchange

Rule id : 42127bdd-9133-474f-a6f1-97b6c08a4339

Url	Pdf
https://us-cert.cisa.gov/ncas/alerts/aa21-008a	pdf/98f30dc607d58242c5996c778263ac72ca6447b7d9846ae22b487e770aab8f27.pdf
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html	pdf/e30b7350a8321e5d9f4209bea85b2c071a8dd39bdec5b7c008d93af2a0b3931f.pdf
https://www.sygnia.co/golden-saml-advisory	pdf/9d71c307d58af0ae770a12aa7d49b26f129e82adb4f6b18d4dcdc3402bd479c8.pdf
https://o365blog.com/post/aadbackdoor/	pdf/d3bb5f6cabc468d0f7bc87673343ba23d0e57545763ba4f5a782738cf87d1377.pdf

microsoft365_potential_ransomware_activity

Title : Microsoft 365 - Potential Ransomware Activity

Rule id : bd132164-884a-48f1-aa2d-c6d646b04c69

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_pst_export_alert

Title : PST Export Alert Using eDiscovery Alert

Rule id : 18b88d08-d73e-4f21-bc25-4b9892a4fdd0

Url	Pdf
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide	pdf/6c4a482c8a5ee5a6e599fd88947de6d46fb12a2107e22a86867e4631111baeeb.pdf

microsoft365_pst_export_alert_using_new_compliancesearchaction

Title : PST Export Alert Using New-ComplianceSearchAction

Rule id : 6897cd82-6664-11ed-9022-0242ac120002

Url	Pdf
https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps	pdf/9ce065b4cb3d7c27abed8676bbe664c9e4475de0103b3d7d6775d05bb468c5f6.pdf

microsoft365_susp_email_forwarding_activity

Title : Mail Forwarding/Redirecting Activity In O365

Rule id : c726e007-2cd0-4a55-abfb-79730fbedee5

Url	Pdf
https://redcanary.com/blog/email-forwarding-rules/	pdf/1b196f33275eea2b19babc14b6468b3c7c4882c208b27f93b58e1f76d345453b.pdf

microsoft365_susp_inbox_forwarding

Title : Suspicious Inbox Forwarding

Rule id : 6c220477-0b5b-4b25-bb90-66183b4089e8

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_susp_oauth_app_file_download_activities

Title : Suspicious OAuth App File Download Activities

Rule id : ee111937-1fe7-40f0-962a-0eb44d57d174

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_unusual_volume_of_file_deletion

Title : Microsoft 365 - Unusual Volume of File Deletion

Rule id : 78a34b67-3c39-4886-8fb4-61c46dc18ecd

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

microsoft365_user_restricted_from_sending_email

Title : Microsoft 365 - User Restricted from Sending Email

Rule id : ff246f56-7f24-402a-baca-b86540e3925c

Url	Pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy	pdf/1957a4aa92eff3a9d3f4810490b0baa55f1083810cdf518fd01190987cb6f52c.pdf
https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference	pdf/e3053a4c9858ab09a1601fe5cab08e6044544189f367dd1c4d0e3c75f7b48a69.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

references_m.md

references_m.md

Sigma rule references as PDF

microsoft365_activity_by_terminated_user

microsoft365_activity_from_anonymous_ip_addresses

microsoft365_activity_from_infrequent_country

microsoft365_data_exfiltration_to_unsanctioned_app

microsoft365_disabling_mfa

microsoft365_from_susp_ip_addresses

microsoft365_impossible_travel_activity

microsoft365_logon_from_risky_ip_address

microsoft365_new_federated_domain_added_audit

microsoft365_new_federated_domain_added_exchange

microsoft365_potential_ransomware_activity

microsoft365_pst_export_alert

microsoft365_pst_export_alert_using_new_compliancesearchaction

microsoft365_susp_email_forwarding_activity

microsoft365_susp_inbox_forwarding

microsoft365_susp_oauth_app_file_download_activities

microsoft365_unusual_volume_of_file_deletion

microsoft365_user_restricted_from_sending_email

Files

references_m.md

Latest commit

History

references_m.md

File metadata and controls

Sigma rule references as PDF

microsoft365_activity_by_terminated_user

microsoft365_activity_from_anonymous_ip_addresses

microsoft365_activity_from_infrequent_country

microsoft365_data_exfiltration_to_unsanctioned_app

microsoft365_disabling_mfa

microsoft365_from_susp_ip_addresses

microsoft365_impossible_travel_activity

microsoft365_logon_from_risky_ip_address

microsoft365_new_federated_domain_added_audit

microsoft365_new_federated_domain_added_exchange

microsoft365_potential_ransomware_activity

microsoft365_pst_export_alert

microsoft365_pst_export_alert_using_new_compliancesearchaction

microsoft365_susp_email_forwarding_activity

microsoft365_susp_inbox_forwarding

microsoft365_susp_oauth_app_file_download_activities

microsoft365_unusual_volume_of_file_deletion

microsoft365_user_restricted_from_sending_email