This alert detected a user who have been given administrator privileges. Impact An addition of an admin account should always be verified as legitimate due to its sensitive nature. An adversary obtaining admin privileges is a worst case scenario for an organization. Mitigation Verify that the addition of an admin is a legitimate action. If it's not, block the account, revoke the user permissions and further investigate his actions. MITRE Tactic: TA0003 MITRE Technique: T1078

This alert detects when an admin was removed from an admin group. Impact The removal of an admin account should always be verified as legitimate due to its sensitive nature. Removing an admin could be an adversary tactic to take full control on a system and hinder any security response abilities. Mitigation Verify that the removal of an admin is legitimate and wanted. revert changes and block the performing user if not. MITRE Tactic: TA00040 MITRE Technique: T1531

This alert detects when a formally deleted user has been restored. Impact A user restore operation should be validated as it's a known adversary tactic to reanimate deleted accounts to be used for malicious purposes without alerting an existing user. Mitigation Verify that the restore operation was authorized and legitimate, consider reverting and blocking the user who commited the operation if not. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert detects the deletion of a sharepoint site. Impact Sharepoint sites can hold valuable business data and any deletion of a site should be inspected and verified as legitimate. Mitigation Verify with the deleting user that the action was legitimate, consider reverting and further investigating if not. MITRE Tactic: TA00040 MITRE Technique: T1531

This alert detects excessive deletions of Microsoft 365 users. Impact A single user deletion is a legitimate operation, excessive deletion could indicate malicious activity and an intention to harm the company and should be inspected. Mitigation Review the user performing the deletion activity and verify with him the deletion is intentional and authorized. If not; stop the process, revoke permissions and revert changes. MITRE Tactic: TA00040 MITRE Technique: T1531

This alert detects when more than one login operation has been detected for a user from more than one IP address in 12 hours. Impact Normally, a user shouldn't be able to connect to one account from two different IP's in close proximity. An additional login attempt from a different IP can indicate an attacker connecting to the user account in parallel. Some advance users might connect through a VPN or from multiple devices, so make sure to check the user agent and device properties fields. Weird or unseen device properties or user agents can also indicate malicious activity. Mitigation Review the connecting IPs and investigate if there were seen before for this user and verify with the user they are legitimate login attempts. If there are not, block user access and investigate further. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert detects when more than one Microsoft team has been deleted under 10 minutes. Impact Bulk deletion of teams should be inspected as it could be an adversary action to disrupt normal operations or cover up his tracks. Mitigation Review the deleting user and teams deleted and verify that the actions were legitimate. Consider blocking the user and reverting if not. MITRE Tactic: TA00040 MITRE Technique: T1531

This alert detects multiple password reset operations by a user - more than 3 resets in 1 hour (this can be fine-tuned according to company policy and needs). Impact Multiple password reset operation in a short time frame might indicate malicious activity by an adversary. Mitigation Check the reset operations for any suspicious activity including: 1. IPs 2. User agents 3. Time frames (working hours etc) Validate with the user that he actually requested the reset operations, consider blocking and further investigate if not, especially if a successful login followed the reset operation. MITRE Tactic: TA0001 MITRE Technique: T1078

This rule detects if there are no logs in the last 4 hours for Microsoft365 in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This detection flags instances where external access is activated within Microsoft Teams. External access permits Teams and Skype for Business users to communicate with individuals outside their organization. Impact A threat actor might activate external access or include an authorized domain to either exfiltrate data or establish a persistent presence within an environment. Mitigation The activation of Teams external access could be initiated by a system or network administrator. It's crucial to confirm that this configuration change was anticipated or intended. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert detects when Global Administrator role is assigned to a user. In Azure Active Director, resource management permissions are allocated through roles. The Global Administrator role grants users access to all administrative functionalities within Azure AD and services reliant on Azure AD identities, such as the Microsoft 365 Defender portal, Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Impact This high-level role could be exploited by attackers who add users as Global Administrators, allowing them to retain access and control over all subscriptions, settings, and resources within the environment. Mitigation Validate if the user is approved and authorized to be added as an admin, investigate further and revoke permission if not. MITRE Tactic : TA0003 MITRE Technique: T1098

This alert detects the addition or modification of a federated domain in an organization's Office 365 environment. Impact Detecting the addition/modification of a new federated domain holds significance as it could signal potential unauthorized access or compromise within the Office 365 environment of the organization. An attacker might add a new federated domain to obtain unauthorized entry, steal data, or conduct malicious actions, potentially resulting in data breaches, unauthorized access to sensitive information, or compromising the organization's systems and infrastructure. Identifying such additions is crucial for swift response and mitigation. Mitigation Inspecting the specifics of the newly added federated domain, which encompass the organization's name, originating server, user ID, and user key, is necessary. Furthermore, it's crucial to gather and scrutinize pertinent on-disk evidence. Additionally, pinpointing the attack's origin involves identifying concurrent processes or any other signs indicating a compromise. MITRE Tactic: TA0004 MITRE Technique: T1484

This alert triggers for the office 365 Security Compliance Center information severity alerts which consists of default and custom alert policies to monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

This alert triggers for the office 365 Security Compliance Center medium severity alerts which consists of default and custom alert policies to monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

This alert triggers for the office 365 Security Compliance Center high severity alerts which consists of default and custom alert policies to monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

This alert triggers for the office 365 Security Compliance Center low severity alerts which consists of default and custom alert policies to monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing.

This detects instances where permissions are granted to access content from a different mailbox. This is usually only assigned to a service account. Impact An attacker might exploit a compromised account to send messages to various accounts within the target organization's network. They could also create inbox rules to help these messages evade detection by spam or phishing filters. Mitigation This access permission should undergo verification as it grants read access to emails in another mailbox. If unauthorized, these permissions must be promptly revoked to prevent unauthorized access. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert detects when a domain is allowed or blocked in exchange admin tenant allow/block list. Impact Allowed domains are whitelisted from all phisihing/malware policies deployed for the organization and blocked domains will block the emails coming from the domain for every user. So it is very critical operation to add/remove a domain from tenant list. Mitigation This change should undergo verification. If unauthorized, these changes must be promptly revoked. MITRE Tactic: TA0005 MITRE Technique: T1562

This search detects when forwarding rule configured for multiple mailboxes to the same destination. Impact Forwarding emails for multiple users to the same external domain might be an indicator of compromise of admin credentials as attacker might be forwarding emails from users who have confidential business related communications. Mitigation The forwarding configurations should be validated and should be removed if not authorized with further investigation to the admin account. MITRE Tactic: TA0009 MITRE Technique: T1114

This alert detects when a transport rule is deleted or disabled in microsoft 365. Impact Mail flow rules serve to detect and act upon messages traversing your organization. A malicious actor, whether an adversary or an insider threat, might alter a transport rule with the intent of data exfiltration or circumventing defensive measures. Mitigation Ensure that the modified configuration aligns with the anticipated changes. C MITRE Tactic: TA0010 MITRE Technique: T1537

The alert detects when there are multiple MFA failures for a user in short span of time.THis can be an indicator of MFA fatigue attack where the attacker trick the user to accept the MFA notification and allow the access. Impact Excessive MFA attempts failures for a user can indicate an attacker tricking a user to accept the MFA challenge. This also indicates the attacker have the user credentials. A successful attack will compromise a user and give an attacker access to company information and environment. Mitigation Review the details for the login failures (amount of failed logins, user, ip, location, working hours) and determine if they look suspicious or legitimate. Verify with the user if he is aware of these login attempts and investigate further if not. Especially verify if there was a successful login among the failed attempts that might indicate a compromised account. If in doubt, reset the user password as a precaution. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when Privileged Administrator role is assigned to a user. In Azure Active Director, resource management permissions are allocated through roles. The Privileged Administrator role grants users access to all administrative functionalities within Azure AD and services reliant on Azure AD identities, such as the Microsoft 365 Defender portal, Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Impact This high-level role could be exploited by attackers who add users as Administrators, allowing them to retain access and control over all subscriptions, settings, and resources within the environment. Mitigation Validate if the user is approved and authorized to be added as an admin, investigate further and revoke permission if not. MITRE Tactic : TA0003 MITRE Technique: T1098

Detects when there are login failures for single user from multiple IP addresses in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Review the connecting IPs and investigate if there were seen before for this user and verify with the user they are legitimate login attempts. If there are not, block user access and investigate further. MITRE Tactic: TA0006 MITRE Technique: T1110

This rule detects if there are no logs in last 24 hrs for google workspace in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert detects a possible brute force attack against an Office 365 user. It triggers when too many login failures occur for a specific user, more than 5 failed attempts in 5 minutes. Impact Excessive login failures for a user can indicate an attacker trying to guess a user password (manually or automatically). A successful attack will compromise a user and give an attacker access to company information and environment. Mitigation Review the details for the login failures (amount of failed logins, user, ip, location, working hours) and determine if they look suspicious or legitimate. Verify with the user if he is aware of these login attempts and investigate further if not. Especially verify if there was a successful login among the failed attempts that might indicate a compromised account. If in doubt, reset the user password as a precaution. MITRE Tactic: TA0006 MITRE Technique: T1110

This detects instances where files uploaded to OneDrive /Sharepoint are flagged as malicious by the file scanning engine. Impact Adversaries can exploit File Sharing and Organization Repositories to expand their reach across the company, increasing their access within the network. Unintentional file sharing by users, unaware of any malicious content, provides attackers with an opening to initiate access to additional endpoints within the environment. Mitigation The file should be scanned an a sandbox environment to check if thats is a legitimate file or malicious. MITRE Tactic: TA0008 MITRE Technique: T1114

This alert detects when multi factor authentication has been disabled for an azure account Impact This change weakens account security and can lead to the compromise of accounts and other assets. Mitigation Investigate the policy change and the user who disabled the service and determine if the action was authorized. If not, re-enable MFA and investigate all actions performed by the user during the time MFA was off for malicious activity. MITRE Tactic: TA0003 MITRE Technique: T1556

This alert detects when there are login failures for multiple users from single IP address in short span of time. Impact Many failed login attempt in a short time frame might indicate a bruteforce attack against the relevant account. Mitigation Review the connecting IPs and investigate if there were seen before for this user and verify with the user they are legitimate login attempts. If there are not, block user access and investigate further. MITRE Tactic: TA0006 MITRE Technique: T1110