New Office 365 Activity Detection
Query
//This query identifies new or unusual Office 365 operations in last 7 days
//Compares against 90-day baseline to detect potentially malicious activity
//MITRE ATT&CK: T1078, T1136, T1027
OfficeActivity
| where TimeGenerated > ago(90d) and TimeGenerated < ago(7d)
| distinct Operation
| join kind=rightanti (
OfficeActivity
| where TimeGenerated > ago(7d)
| summarize NewOfficeOperations=count()by Operation, OfficeWorkload)
on Operation
| sort by NewOfficeOperations descExplanation
This query is designed to detect potentially suspicious or unusual Office 365 activities by comparing recent operations against a historical baseline. Here's a simplified breakdown:
-
Data Collection: It looks at Office 365 activities over the past 90 days but excludes the last 7 days.
-
Baseline Creation: It identifies distinct operations (activities) that occurred during this 90-day period, serving as a baseline of normal activity.
-
Recent Activity Analysis: It then examines activities from the last 7 days to identify operations that are new or not part of the baseline.
-
Comparison: By comparing these two sets of data, it identifies operations that are new or unusual in the past week.
-
Output: The query lists these new operations, sorted by the number of occurrences, to highlight potentially malicious activities.
The query is aligned with specific MITRE ATT&CK techniques (T1078, T1136, T1027), which relate to unauthorized access, account creation, and obfuscation, respectively.
