M365 Quarantine and Hygiene Signal
editM365 Quarantine and Hygiene Signal
editIdentifies Microsoft 365 email quarantine, hygiene, and mail submission events. These signals indicate blocked threats, spam filtering actions, and user-reported suspicious emails. While these represent blocked or mitigated threats, they provide valuable telemetry for understanding attempted attacks and attack patterns. This building block rule generates security events for correlation, threat hunting, and telemetry collection.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://learn.microsoft.com/en-us/defender-office-365/quarantine-about
- https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about
- https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Defender for Office 365
- Use Case: Threat Detection
- Use Case: Blocked Threat Tracking
- Tactic: Initial Access
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editAdditional notes
For information on troubleshooting the maximum alerts warning please refer to this guide.
Rule query
editevent.dataset:o365.audit and event.code:(Quarantine or HygieneEvent or MailSubmission)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/