Vendor: Microsoft Product: Microsoft 365 Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 554 148 128 19 141 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity ↳microsoft-o365-cef-app-file-success-displayname ↳microsoft-o365-cef-app-file-success-refreshdataset ↳microsoft-o365-cef-app-file-success-memberadded ↳microsoft-o365-cef-app-file-success-rolechanged ↳microsoft-o365-sk4-app-file-success-userupdate ↳microsoft-o365-cef-app-file-success-restoreuser ↳microsoft-o365-sk4-app-file-success-viewdashboard ↳microsoft-o365-cef-app-file-success-deleteuser ↳microsoft-o365-cef-app-file-success-deletegroup ↳microsoft-o365-cef-app-file-success-removememberfromgroup ↳microsoft-o365-cef-app-file-success-fileupload ↳microsoft-o365-sk4-app-file-success-userdelete ↳microsoft-o365-sk4-app-file-success-groupunassign ↳microsoft-o365-cef-app-file-success-foldercreated ↳microsoft-o365-cef-app-file-success-addownertogroup ↳microsoft-o365-sk4-app-file-success-groupupdate ↳microsoft-o365-cef-app-file-success-serviceprincipal ↳microsoft-o365-cef-app-file-success-modifiedproperties ↳microsoft-o365-cef-app-file-success-harddelete ↳microsoft-o365-cef-app-file-success-filemodified ↳microsoft-o365-cef-app-file-success-filemoved ↳microsoft-o365-cef-app-file-success-tabadded ↳microsoft-o365-sk4-app-file-success-group ↳microsoft-o365-cef-app-file-success-addtogroup ↳microsoft-o365-cef-app-file-success-addmembertorole ↳microsoft-o365-cef-app-file-success-movetodeleteditems ↳microsoft-o365-sk4-app-file-success-groupadd ↳microsoft-o365-cef-app-file-success-viewdashboard ↳microsoft-o365-cef-app-file-success-viewreport ↳microsoft-o365-cef-app-file-success-downloadreport ↳microsoft-o365-cef-app-file-success-crmdefaultactivity ↳microsoft-o365-cef-app-file-success-filerenamed ↳microsoft-o365-cef-app-file-success-channeladded ↳microsoft-o365-cef-app-file-success-addgroup ↳microsoft-o365-cef-app-file-success-channeldeleted ↳microsoft-o365-cef-app-file-success-filesyncuploadedfull ↳microsoft-o365-sk4-app-file-success-useradd ↳microsoft-o365-cef-app-file-success-filedeleted ↳microsoft-o365-sk4-app-file-success-userrestore ↳microsoft-o365-sk4-app-file-success-deviceupdate ↳microsoft-o365-cef-app-file-success-adduser ↳microsoft-o365-cef-app-file-success-groupupload ↳microsoft-o365-cef-app-file-success-updateuser ↳microsoft-o365-cef-app-file-success-updatedevice ↳microsoft-o365-cef-app-file-success-memberremoved ↳microsoft-o365-cef-app-file-success-tabupdated ↳microsoft-o365-cef-app-file-success-addapplication ↳microsoft-o365-csv-file-success-sharepoint ↳microsoft-o365-json-file-success-workload ↳microsoft-o365-sk4-app-approleassign ↳microsoft-o365-sk4-app-file-workload ↳microsoft-o365-sk4-app-file-setunifiedgroup ↳microsoft-o365-sk4-app-addowner ↳microsoft-o365-sk4-app-activity-success-create ↳microsoft-o365-sk4-app-file-operationworkload ↳microsoft-o365-sk4-app-file-send ↳microsoft-o365-sk4-app-file-move ↳microsoft-o365-sk4-file-app-userkey ↳microsoft-o365-sk4-app-activity-success-newinboxrule ↳microsoft-o365-sk4-app-activity-success-movetofolder ↳microsoft-o365-sk4-app-activity-delivertomailboxandforward ↳microsoft-o365-sk4-app-activity-success-sentmailbox ↳microsoft-o365-json-app-activity-success-updateinboxrules ↳microsoft-o365-sk4-app-activity-success-forwardto ↳microsoft-o365-sk4-app-activity-success-setinboxrule ↳microsoft-o365-sk4-app-activity-success-forward ↳microsoft-o365-cef-app-activity-success-inboxrule ↳microsoft-o365-cef-app-activity-success-addmailboxpermission ↳microsoft-o365-sk4-app-activity-success-addedtogroup ↳microsoft-o365-json-app-activity-success-labelupdated ↳microsoft-o365-sk4-app-activity-success-softdelete ↳microsoft-o365-cef-app-activity-list-listcolumnupdated-1 ↳microsoft-o365-cef-app-activity-list-listcolumnupdated ↳microsoft-o365-cef-app-activity-list-companylinkused ↳microsoft-o365-cef-app-activity-list-listcreated ↳microsoft-o365-cef-app-activity-list-updatedlist ↳microsoft-o365-cef-app-activity-list-filesyncdownloadedpartial app-login ↳microsoft-o365-sk4-app-login-success-snowflake ↳microsoft-o365-json-app-login-success-userloggedin ↳microsoft-o365-sk4-app-approleassign ↳microsoft-o365-sk4-app-activity-success-softdelete ↳microsoft-o365-sk4-app-file-workload ↳microsoft-o365-sk4-app-file-setunifiedgroup ↳microsoft-o365-sk4-app-addowner ↳microsoft-o365-sk4-app-activity-success-create ↳microsoft-o365-sk4-app-file-operationworkload ↳microsoft-o365-sk4-app-file-send ↳microsoft-o365-sk4-app-file-move ↳microsoft-o365-sk4-app-activity-appactivity ↳microsoft-o365-sk4-app-activity-auditevent ↳microsoft-o365-mix-app-login-success-teamssessionstarted ↳microsoft-o365-kv-app-login-success-userloggedin ↳microsoft-o365-sk4-app-login-success-loggedin authentication-failed ↳microsoft-o365-sk4-alert-trigger-threatmanagement ↳microsoft-o365-json-alert-trigger-success-threatmgmt failed-app-login ↳microsoft-o365-cef-app-login-fail-userloginfailed ↳microsoft-o365-sk4-app-login-fail-snowflake ↳microsoft-o365-sk4-app-approleassign ↳microsoft-o365-sk4-app-file-setunifiedgroup ↳microsoft-o365-sk4-app-addowner ↳microsoft-o365-sk4-app-activity-success-softdelete ↳microsoft-o365-sk4-app-file-send ↳microsoft-o365-sk4-app-activity-success-create ↳microsoft-o365-sk4-app-file-workload ↳microsoft-o365-sk4-app-file-move ↳microsoft-o365-sk4-app-file-operationworkload ↳microsoft-o365-sk4-app-login-fail-appdisplayname ↳microsoft-o365-kv-app-login-fail-workload T1078 - Valid AccountsT1133 - External Remote Services 15 Rules4 Models Account Manipulation app-activity ↳microsoft-o365-cef-app-file-success-displayname ↳microsoft-o365-cef-app-file-success-refreshdataset ↳microsoft-o365-cef-app-file-success-memberadded ↳microsoft-o365-cef-app-file-success-rolechanged ↳microsoft-o365-sk4-app-file-success-userupdate ↳microsoft-o365-cef-app-file-success-restoreuser ↳microsoft-o365-sk4-app-file-success-viewdashboard ↳microsoft-o365-cef-app-file-success-deleteuser ↳microsoft-o365-cef-app-file-success-deletegroup ↳microsoft-o365-cef-app-file-success-removememberfromgroup ↳microsoft-o365-cef-app-file-success-fileupload ↳microsoft-o365-sk4-app-file-success-userdelete ↳microsoft-o365-sk4-app-file-success-groupunassign ↳microsoft-o365-cef-app-file-success-foldercreated ↳microsoft-o365-cef-app-file-success-addownertogroup ↳microsoft-o365-sk4-app-file-success-groupupdate ↳microsoft-o365-cef-app-file-success-serviceprincipal ↳microsoft-o365-cef-app-file-success-modifiedproperties ↳microsoft-o365-cef-app-file-success-harddelete ↳microsoft-o365-cef-app-file-success-filemodified ↳microsoft-o365-cef-app-file-success-filemoved ↳microsoft-o365-cef-app-file-success-tabadded ↳microsoft-o365-sk4-app-file-success-group ↳microsoft-o365-cef-app-file-success-addtogroup ↳microsoft-o365-cef-app-file-success-addmembertorole ↳microsoft-o365-cef-app-file-success-movetodeleteditems ↳microsoft-o365-sk4-app-file-success-groupadd ↳microsoft-o365-cef-app-file-success-viewdashboard ↳microsoft-o365-cef-app-file-success-viewreport ↳microsoft-o365-cef-app-file-success-downloadreport ↳microsoft-o365-cef-app-file-success-crmdefaultactivity ↳microsoft-o365-cef-app-file-success-filerenamed ↳microsoft-o365-cef-app-file-success-channeladded ↳microsoft-o365-cef-app-file-success-addgroup ↳microsoft-o365-cef-app-file-success-channeldeleted ↳microsoft-o365-cef-app-file-success-filesyncuploadedfull ↳microsoft-o365-sk4-app-file-success-useradd ↳microsoft-o365-cef-app-file-success-filedeleted ↳microsoft-o365-sk4-app-file-success-userrestore ↳microsoft-o365-sk4-app-file-success-deviceupdate ↳microsoft-o365-cef-app-file-success-adduser ↳microsoft-o365-cef-app-file-success-groupupload ↳microsoft-o365-cef-app-file-success-updateuser ↳microsoft-o365-cef-app-file-success-updatedevice ↳microsoft-o365-cef-app-file-success-memberremoved ↳microsoft-o365-cef-app-file-success-tabupdated ↳microsoft-o365-cef-app-file-success-addapplication ↳microsoft-o365-csv-file-success-sharepoint ↳microsoft-o365-json-file-success-workload ↳microsoft-o365-sk4-app-approleassign ↳microsoft-o365-sk4-app-file-workload ↳microsoft-o365-sk4-app-file-setunifiedgroup ↳microsoft-o365-sk4-app-addowner ↳microsoft-o365-sk4-app-activity-success-create ↳microsoft-o365-sk4-app-file-operationworkload ↳microsoft-o365-sk4-app-file-send ↳microsoft-o365-sk4-app-file-move ↳microsoft-o365-sk4-file-app-userkey ↳microsoft-o365-sk4-app-activity-success-newinboxrule ↳microsoft-o365-sk4-app-activity-success-movetofolder ↳microsoft-o365-sk4-app-activity-delivertomailboxandforward ↳microsoft-o365-sk4-app-activity-success-sentmailbox ↳microsoft-o365-json-app-activity-success-updateinboxrules ↳microsoft-o365-sk4-app-activity-success-forwardto ↳microsoft-o365-sk4-app-activity-success-setinboxrule ↳microsoft-o365-sk4-app-activity-success-forward ↳microsoft-o365-cef-app-activity-success-inboxrule ↳microsoft-o365-cef-app-activity-success-addmailboxpermission ↳microsoft-o365-sk4-app-activity-success-addedtogroup ↳microsoft-o365-json-app-activity-success-labelupdated ↳microsoft-o365-sk4-app-activity-success-softdelete ↳microsoft-o365-cef-app-activity-list-listcolumnupdated-1 ↳microsoft-o365-cef-app-activity-list-listcolumnupdated ↳microsoft-o365-cef-app-activity-list-companylinkused ↳microsoft-o365-cef-app-activity-list-listcreated ↳microsoft-o365-cef-app-activity-list-updatedlist ↳microsoft-o365-cef-app-activity-list-filesyncdownloadedpartial process-created ↳microsoft-o365-sk4-process-create-success-processcreated T1003 - OS Credential DumpingT1003.003 - T1003.003T1021.003 - T1021.003T1059.001 - Command and Scripting Interperter: PowerShellT1059.003 - T1059.003T1078 - Valid AccountsT1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1218.010 - Signed Binary Proxy Execution: Regsvr32T1531 - Account Access RemovalT1559.002 - T1559.002 17 Rules8 Models Audit Tampering process-created ↳microsoft-o365-sk4-process-create-success-processcreated T1059 - Command and Scripting InterperterT1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1546.003 - T1546.003T1562 - Impair DefensesT1562.006 - T1562.006 4 Rules Cryptomining process-created ↳microsoft-o365-sk4-process-create-success-processcreated T1496 - Resource Hijacking 1 Rules Evasion process-created ↳microsoft-o365-sk4-process-create-success-processcreated T1027 - Obfuscated Files or InformationT1027.004 - Obfuscated Files or Information: Compile After DeliveryT1036 - MasqueradingT1036.003 - Masquerading: Rename System UtilitiesT1036.005 - Masquerading: Match Legitimate Name or LocationT1059 - Command and Scripting InterperterT1059.001 - Command and Scripting Interperter: PowerShellT1059.005 - T1059.005T1070 - Indicator Removal on HostT1070.001 - Indicator Removal on Host: Clear Windows Event LogsT1105 - Ingress Tool TransferT1127.001 - Trusted Developer Utilities Proxy Execution: MSBuildT1140 - Deobfuscate/Decode Files or InformationT1197 - BITS JobsT1202 - Indirect Command ExecutionT1203 - Exploitation for Client ExecutionT1218 - Signed Binary Proxy ExecutionT1218.002 - Signed Binary Proxy Execution: Control PanelT1218.004 - Signed Binary Proxy Execution: InstallUtilT1218.008 - T1218.008T1218.009 - Signed Binary Proxy Execution: Regsvcs/RegasmT1218.010 - Signed Binary Proxy Execution: Regsvr32T1218.011 - Signed Binary Proxy Execution: Rundll32T1484.001 - T1484.001T1542.003 - T1542.003T1543.003 - Create or Modify System Process: Windows ServiceT1552.006 - T1552.006T1562 - Impair DefensesT1562.001 - T1562.001T1562.004 - Impair Defenses: Disable or Modify System FirewallT1562.006 - T1562.006T1564.004 - Hide Artifacts: NTFS File AttributesT1574 - Hijack Execution Flow 41 Rules3 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationReplication Through Removable MediaPhishing Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobInter-Process CommunicationSystem ServicesExploitation for Client ExecutionUser ExecutionScheduled Task/Job: Scheduled TaskCommand and Scripting Interperter: PowerShellScheduled Task/Job: At (Windows) Pre-OS BootCreate AccountCreate or Modify System ProcessExternal Remote ServicesValid AccountsHijack Execution FlowServer Software Component: Web ShellAccount ManipulationBITS JobsCreate or Modify System Process: Windows ServiceScheduled Task/JobServer Software ComponentEvent Triggered ExecutionBoot or Logon Autostart ExecutionCreate Account: Create: Local AccountAccount Manipulation: Exchange Email Delegate Permissions Access Token Manipulation: Token Impersonation/TheftCreate or Modify System ProcessValid AccountsAccess Token ManipulationExploitation for Privilege EscalationHijack Execution FlowGroup Policy ModificationProcess InjectionScheduled Task/JobAbuse Elevation Control MechanismEvent Triggered ExecutionBoot or Logon Autostart ExecutionProcess Injection: Dynamic-link Library InjectionAbuse Elevation Control Mechanism: Bypass User Account Control Hide ArtifactsIndirect Command ExecutionImpair DefensesIndicator Removal on Host: Clear Windows Event LogsGroup Policy ModificationTrusted Developer Utilities Proxy ExecutionMasquerading: Match Legitimate Name or LocationMasquerading: Rename System UtilitiesFile and Directory Permissions Modification: Windows File and Directory Permissions ModificationObfuscated Files or Information: Compile After DeliveryObfuscated Files or Information: Indicator Removal from ToolsHijack Execution Flow: DLL Side-LoadingIndicator Removal on Host: File DeletionMasqueradingValid AccountsModify RegistryBITS JobsUse Alternate Authentication MaterialHide Artifacts: NTFS File AttributesIndicator Removal on HostUse Alternate Authentication Material: Pass the TicketPre-OS BootFile and Directory Permissions ModificationDeobfuscate/Decode Files or InformationAbuse Elevation Control MechanismImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileAccess Token ManipulationHijack Execution FlowProcess InjectionSigned Binary Proxy Execution: MsiexecSigned Binary Proxy ExecutionSigned Binary Proxy Execution: Regsvcs/RegasmSigned Binary Proxy Execution: CMSTPSigned Binary Proxy Execution: Control PanelSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuildSigned Binary Proxy Execution: Rundll32 OS Credential DumpingUnsecured CredentialsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingNetwork Sniffing Account DiscoveryDomain Trust DiscoverySystem Service DiscoverySystem Network Connections DiscoveryAccount Discovery: Local AccountAccount Discovery: Domain AccountFile and Directory DiscoveryNetwork SniffingSystem Information DiscoveryNetwork Share DiscoveryQuery RegistryProcess DiscoverySystem Owner/User DiscoverySoftware DiscoveryRemote System DiscoverySystem Network Configuration Discovery Exploitation of Remote ServicesRemote Service Session HijackingRemote ServicesRemote Services: SMB/Windows Admin SharesUse Alternate Authentication MaterialRemote Services: Remote Desktop ProtocolReplication Through Removable Media Screen CaptureEmail CollectionAudio CaptureArchive Collected DataEmail Collection: Email Forwarding Rule Protocol TunnelingApplication Layer Protocol: DNSApplication Layer Protocol: File Transfer ProtocolsApplication Layer Protocol: Web ProtocolsRemote Access SoftwareIngress Tool TransferProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over C2 ChannelExfiltration Over Physical MediumAutomated Exfiltration Account Access RemovalData DestructionResource HijackingData Encrypted for ImpactInhibit System Recovery