Classification:

attack

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when Microsoft 365 Security and Compliance raises an alert.

Strategy

You can use alert policies and the alert dashboard in the Microsoft Purview compliance portal or the Microsoft 365 Defender portal to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy.

Alert signals include:

• All alerts generated based on Alert policies in Security & Compliance Center.
• Office 365 related alerts generated in Office 365 Cloud App Security and Microsoft Cloud App Security.

Triage and response

1. Investigate the Microsoft 365 alert to determine if it is malicious or benign.
2. If the finding is deemed malicious, follow the remediation guidance provided by Microsoft and also any internal incident response processes.