Office365 Logging – Turning Attacker TTP’s into High-Fidelity Alerts

This presentation will incorporate actionable alerts found from Office365 logging. These focus on empowering small-mid tier organizations who do not have extensive security staffing. These alerts are often for malicious use, but are noted in unique ways. Each alert presented is defined not by what it finds, but by the attackers TTP. A good example is changing inbox rules. A half dozen different TTPs involve this log, but each requires a different alert query to both find and verify the alert proactively. Alerts will be generated by multiple data points, including UUIDs for Extension and Modified fields, user agents *extensively*, and refinement to take analysis to the next level.