Vendor: Microsoft

May 13, 2026 · View on GitHub

Product: Microsoft 365

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
3401375525145
Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-creation
microsoft-o365-cef-app-file-success-adduser

account-deleted
microsoft-o365-cef-app-file-success-deleteuser
microsoft-o365-cef-app-file-success-deleteuser

account-password-change
microsoft-o365-kv-user-password-modify-success-changeduserpassword

account-password-reset
microsoft-o365-cef-user-password-reset-selfservice
microsoft-o365-cef-user-password-reset-selfservice

app-activity
microsoft-o365-sk4-app-activity-appactivity
microsoft-o365-sk4-app-activity-auditevent
microsoft-o365-sk4-app-activity-success-newinboxrule
microsoft-o365-sk4-app-activity-success-movetofolder
microsoft-o365-sk4-app-activity-delivertomailboxandforward
microsoft-o365-sk4-app-activity-success-forwardto
microsoft-o365-cef-app-activity-success-addmailboxpermission
microsoft-o365-cef-email-send-receive-subject
microsoft-o365-json-email-send-receive-subject
microsoft-o365-sk4-app-approleassign
microsoft-o365-cef-app-file-success-displayname
microsoft-o365-cef-app-file-success-viewdashboard
microsoft-o365-cef-app-file-success-viewreport
microsoft-o365-cef-app-file-success-downloadreport
microsoft-o365-cef-app-file-success-crmdefaultactivity
microsoft-o365-cef-app-file-success-filerenamed
microsoft-o365-cef-app-file-success-refreshdataset
microsoft-o365-cef-app-file-success-memberadded
microsoft-o365-cef-app-file-success-channeladded
microsoft-o365-cef-app-file-success-addgroup
microsoft-o365-cef-app-file-success-rolechanged
microsoft-o365-sk4-app-file-success-userupdate
microsoft-o365-cef-app-file-success-restoreuser
microsoft-o365-cef-app-file-success-channeldeleted
microsoft-o365-cef-app-file-success-filesyncuploadedfull
microsoft-o365-cef-app-file-success-deletegroup
microsoft-o365-sk4-app-file-success-useradd
microsoft-o365-cef-app-file-success-filedeleted
microsoft-o365-cef-app-file-success-fileupload
microsoft-o365-sk4-app-file-success-userdelete
microsoft-o365-cef-app-file-success-foldercreated
microsoft-o365-sk4-app-file-success-userrestore
microsoft-o365-sk4-app-file-success-deviceupdate
microsoft-o365-cef-app-file-success-groupupload
microsoft-o365-cef-app-file-success-updatedevice
microsoft-o365-cef-app-file-success-addownertogroup
microsoft-o365-sk4-app-file-success-groupupdate
microsoft-o365-cef-app-file-success-serviceprincipal
microsoft-o365-cef-app-file-success-memberremoved
microsoft-o365-cef-app-file-success-harddelete
microsoft-o365-cef-app-file-success-tabupdated
microsoft-o365-cef-app-file-success-filemodified
microsoft-o365-cef-app-file-success-filemoved
microsoft-o365-cef-app-file-success-tabadded
microsoft-o365-sk4-app-file-success-group
microsoft-o365-json-app-file-success-restoreuser
microsoft-o365-cef-app-file-success-addapplication
microsoft-o365-cef-app-file-success-movetodeleteditems
microsoft-o365-sk4-app-file-success-groupadd
microsoft-o365-mix-file-success-workload
microsoft-o365-csv-file-success-sharepoint
microsoft-o365-json-share-link-create-success-workload
microsoft-o365-json-mailbox-permission-modify-success-workload
microsoft-o365-json-share-link-modify-success-workload
microsoft-o365-json-share-link-member-add-success-workload
microsoft-o365-sk4-file-app-userkey-1
microsoft-o365-sk4-app-file-setunifiedgroup
microsoft-o365-xml-file-write-success-mailboxpermission
microsoft-o365-sk4-app-addowner
microsoft-o365-sk4-app-activity-success-create
microsoft-o365-sk4-app-file-operationworkload
microsoft-o365-sk4-app-file-send
microsoft-o365-sk4-app-file-workload
microsoft-o365-json-app-activity-success-operation
microsoft-o365-sk4-app-file-move
microsoft-o365-json-app-activity-success-powerbi
microsoft-o365-mix-app-activity-success-microsoftteams
microsoft-o365-sk4-file-app-userkey
microsoft-o365-mix-app-activity-success-securitycompliancecenter
microsoft-o365-mix-app-activity-success-securitycompliancecenter
microsoft-o365-sk4-app-activity-success-pageviewed
microsoft-o365-sk4-app-activity-success-setinboxrule
microsoft-o365-cef-app-activity-success-inboxrule
microsoft-o365-cef-app-file-success-updateuser
microsoft-o365-sk4-app-activity-success-dlpruleundo
microsoft-o365-sk4-app-activity-success-addedtogroup
microsoft-o365-json-app-activity-success-labelupdated
microsoft-o365-json-app-activity-success-groupmanagementaddowner
microsoft-o365-json-app-file-success-inviteexternaluser
microsoft-o365-json-app-file-success-inviteexternaluser
microsoft-azuread-json-app-activity-appdisplayname
microsoft-o365-cef-app-file-success-harddelete
microsoft-o365-json-app-activity-success-updateinboxrules
microsoft-o365-sk4-app-activity-success-setinboxrule
microsoft-o365-sk4-app-activity-success-forward
microsoft-o365-sk4-app-activity-delivertomailboxandforward
microsoft-o365-sk4-app-activity-success-sentmailbox
microsoft-o365-json-user-permission-modify-success-adddelegatedpermission
microsoft-o365-json-user-permission-modify-success-addapproleassignment
microsoft-o365-json-create-email-item-success
microsoft-o365-json-app-consent-grant-success-operation
microsoft-o365-json-app-modify-success-updateapplication
microsoft-o365-json-app-modify-success-addowner
microsoft-o365-json-user-mfa-enable-success-enablestrongauthentication
microsoft-o365-json-user-mfa-enable-success-enablestrongauthentication
microsoft-o365-json-mail-access-mailitemsaccessed
microsoft-o365-json-sharing-link-used-linkused
microsoft-o365-cef-app-file-success-addmembertorole
microsoft-o365-json-delete-email-message-deleteditems
microsoft-o365-json-recipient-permission-modify-permissionmodify
microsoft-o365-json-role-create-success-addroledefinition

app-login
microsoft-o365-mix-app-login-success-teamssessionstarted
microsoft-o365-kv-app-login-success-userloggedin
microsoft-o365-sk4-app-login-success-loggedin
microsoft-o365-cef-app-login-appdisplayname
microsoft-azuread-cef-app-login-clientappused
microsoft-o365-sk4-app-file-setunifiedgroup
microsoft-o365-sk4-app-addowner
microsoft-o365-sk4-app-file-send
microsoft-o365-sk4-app-activity-success-create
microsoft-o365-sk4-app-file-workload
microsoft-o365-sk4-app-file-move
microsoft-o365-sk4-app-file-operationworkload
microsoft-o365-mix-app-activity-success-microsoftteams
microsoft-o365-sk4-file-app-userkey-1

failed-app-login
microsoft-o365-sk4-app-login-fail-appdisplayname
microsoft-o365-kv-app-login-fail-workload
microsoft-o365-cef-app-login-appdisplayname
microsoft-o365-cef-app-login-fail-userloginfailed
microsoft-azuread-cef-app-login-clientappused
microsoft-o365-sk4-app-file-setunifiedgroup
microsoft-o365-sk4-app-addowner
microsoft-o365-sk4-app-file-send
microsoft-o365-sk4-app-activity-success-create
microsoft-o365-sk4-app-file-workload
microsoft-o365-sk4-app-file-move
microsoft-o365-sk4-app-file-operationworkload

member-added
microsoft-o365-cef-app-file-success-addtogroup

member-removed
microsoft-o365-sk4-app-file-success-groupunassign
microsoft-o365-cef-app-file-success-removememberfromgroup

web-activity-allowed
microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog

web-activity-denied
microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 21 Rules
  • 10 Models
Account Manipulationaccount-creation
microsoft-o365-cef-app-file-success-adduser

account-deleted
microsoft-o365-cef-app-file-success-deleteuser
microsoft-o365-cef-app-file-success-deleteuser

account-password-change
microsoft-o365-kv-user-password-modify-success-changeduserpassword

account-password-reset
microsoft-o365-cef-user-password-reset-selfservice
microsoft-o365-cef-user-password-reset-selfservice

app-activity
microsoft-o365-sk4-app-activity-appactivity
microsoft-o365-sk4-app-activity-auditevent
microsoft-o365-sk4-app-activity-success-newinboxrule
microsoft-o365-sk4-app-activity-success-movetofolder
microsoft-o365-sk4-app-activity-delivertomailboxandforward
microsoft-o365-sk4-app-activity-success-forwardto
microsoft-o365-cef-app-activity-success-addmailboxpermission
microsoft-o365-cef-email-send-receive-subject
microsoft-o365-json-email-send-receive-subject
microsoft-o365-sk4-app-approleassign
microsoft-o365-cef-app-file-success-displayname
microsoft-o365-cef-app-file-success-viewdashboard
microsoft-o365-cef-app-file-success-viewreport
microsoft-o365-cef-app-file-success-downloadreport
microsoft-o365-cef-app-file-success-crmdefaultactivity
microsoft-o365-cef-app-file-success-filerenamed
microsoft-o365-cef-app-file-success-refreshdataset
microsoft-o365-cef-app-file-success-memberadded
microsoft-o365-cef-app-file-success-channeladded
microsoft-o365-cef-app-file-success-addgroup
microsoft-o365-cef-app-file-success-rolechanged
microsoft-o365-sk4-app-file-success-userupdate
microsoft-o365-cef-app-file-success-restoreuser
microsoft-o365-cef-app-file-success-channeldeleted
microsoft-o365-cef-app-file-success-filesyncuploadedfull
microsoft-o365-cef-app-file-success-deletegroup
microsoft-o365-sk4-app-file-success-useradd
microsoft-o365-cef-app-file-success-filedeleted
microsoft-o365-cef-app-file-success-fileupload
microsoft-o365-sk4-app-file-success-userdelete
microsoft-o365-cef-app-file-success-foldercreated
microsoft-o365-sk4-app-file-success-userrestore
microsoft-o365-sk4-app-file-success-deviceupdate
microsoft-o365-cef-app-file-success-groupupload
microsoft-o365-cef-app-file-success-updatedevice
microsoft-o365-cef-app-file-success-addownertogroup
microsoft-o365-sk4-app-file-success-groupupdate
microsoft-o365-cef-app-file-success-serviceprincipal
microsoft-o365-cef-app-file-success-memberremoved
microsoft-o365-cef-app-file-success-harddelete
microsoft-o365-cef-app-file-success-tabupdated
microsoft-o365-cef-app-file-success-filemodified
microsoft-o365-cef-app-file-success-filemoved
microsoft-o365-cef-app-file-success-tabadded
microsoft-o365-sk4-app-file-success-group
microsoft-o365-json-app-file-success-restoreuser
microsoft-o365-cef-app-file-success-addapplication
microsoft-o365-cef-app-file-success-movetodeleteditems
microsoft-o365-sk4-app-file-success-groupadd
microsoft-o365-mix-file-success-workload
microsoft-o365-csv-file-success-sharepoint
microsoft-o365-json-share-link-create-success-workload
microsoft-o365-json-mailbox-permission-modify-success-workload
microsoft-o365-json-share-link-modify-success-workload
microsoft-o365-json-share-link-member-add-success-workload
microsoft-o365-sk4-file-app-userkey-1
microsoft-o365-sk4-app-file-setunifiedgroup
microsoft-o365-xml-file-write-success-mailboxpermission
microsoft-o365-sk4-app-addowner
microsoft-o365-sk4-app-activity-success-create
microsoft-o365-sk4-app-file-operationworkload
microsoft-o365-sk4-app-file-send
microsoft-o365-sk4-app-file-workload
microsoft-o365-json-app-activity-success-operation
microsoft-o365-sk4-app-file-move
microsoft-o365-json-app-activity-success-powerbi
microsoft-o365-mix-app-activity-success-microsoftteams
microsoft-o365-sk4-file-app-userkey
microsoft-o365-mix-app-activity-success-securitycompliancecenter
microsoft-o365-mix-app-activity-success-securitycompliancecenter
microsoft-o365-sk4-app-activity-success-pageviewed
microsoft-o365-sk4-app-activity-success-setinboxrule
microsoft-o365-cef-app-activity-success-inboxrule
microsoft-o365-cef-app-file-success-updateuser
microsoft-o365-sk4-app-activity-success-dlpruleundo
microsoft-o365-sk4-app-activity-success-addedtogroup
microsoft-o365-json-app-activity-success-labelupdated
microsoft-o365-json-app-activity-success-groupmanagementaddowner
microsoft-o365-json-app-file-success-inviteexternaluser
microsoft-o365-json-app-file-success-inviteexternaluser
microsoft-azuread-json-app-activity-appdisplayname
microsoft-o365-cef-app-file-success-harddelete
microsoft-o365-json-app-activity-success-updateinboxrules
microsoft-o365-sk4-app-activity-success-setinboxrule
microsoft-o365-sk4-app-activity-success-forward
microsoft-o365-sk4-app-activity-delivertomailboxandforward
microsoft-o365-sk4-app-activity-success-sentmailbox
microsoft-o365-json-user-permission-modify-success-adddelegatedpermission
microsoft-o365-json-user-permission-modify-success-addapproleassignment
microsoft-o365-json-create-email-item-success
microsoft-o365-json-app-consent-grant-success-operation
microsoft-o365-json-app-modify-success-updateapplication
microsoft-o365-json-app-modify-success-addowner
microsoft-o365-json-user-mfa-enable-success-enablestrongauthentication
microsoft-o365-json-user-mfa-enable-success-enablestrongauthentication
microsoft-o365-json-mail-access-mailitemsaccessed
microsoft-o365-json-sharing-link-used-linkused
microsoft-o365-cef-app-file-success-addmembertorole
microsoft-o365-json-delete-email-message-deleteditems
microsoft-o365-json-recipient-permission-modify-permissionmodify
microsoft-o365-json-role-create-success-addroledefinition

member-added
microsoft-o365-cef-app-file-success-addtogroup

member-removed
microsoft-o365-sk4-app-file-success-groupunassign
microsoft-o365-cef-app-file-success-removememberfromgroup
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1531 - Account Access Removal
  • 47 Rules
  • 19 Models
Cryptominingweb-activity-allowed
microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog

web-activity-denied
microsoft-azureeh-sk4-app-activity-success-applicationgatewayaccesslog
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Replication Through Removable Media

Phishing

User Execution

Create Account

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

Obfuscated Files or Information: Indicator Removal from Tools

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

OS Credential Dumping

File and Directory Discovery

Replication Through Removable Media

Internal Spearphishing

Email Collection

Email Collection: Email Forwarding Rule

Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over Physical Medium: Exfiltration over USB

Exfiltration Over C2 Channel

Exfiltration Over Physical Medium

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

Account Access Removal

Data Destruction

Resource Hijacking

Data Encrypted for Impact