Skip to content

[New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 #4993

New issue
New issue
Open
#4994
Open
[New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365#4993
#4994
Assignees
terrancedejesus
Labels
Integration: Microsoft 365Rule: NewProposal for new ruleTeam: TRADE
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Aug 19, 2025

Description

Create a promotion rule to capture all threat intelligence signals from Microsoft Defender for Office 365 in M365 audit logs. Includes valuable signals such as email phishing and more.

Target Ruleset

o365

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

No response

Query

event.dataset: "o365.audit" and event.code: "ThreatIntelligence"

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

References

No response

Redacted Example Data

No response

Metadata

Metadata

Assignees

Labels

Integration: Microsoft 365Rule: NewProposal for new ruleTeam: TRADE

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions