Hi
Can i build a spam/phishing alert using o365 audit exchange logs ?
Page 1 / 1
Hi @rahul7514 ,
https://learn.microsoft.com/en-us/purview/alert-policies
Yes you can. The M365 Activity logs will generate a specific event with the operation `AlertTriggered`for any of the above policies.
The default parser should be mapping this to metadata.product_event_type = "AlertTriggered"
There are a few phishing ones included, just need to make sure they are enabled in your purview console and you have the correct licensing.
Here is sample sanitized payload
{
"CreationTime": "2024-12-05T00:08:34",
"Id": "string",
"Operation": "AlertTriggered",
"OrganizationId": "string",
"RecordType": 40,
"ResultStatus": "Succeeded",
"UserKey": "SecurityComplianceAlerts",
"UserType": 4,
"Version": 1,
"Workload": "SecurityComplianceCenter",
"ObjectId": "string",
"UserId": "SecurityComplianceAlerts",
"AlertId": "string",
"AlertLinks": [
{
"AlertLinkHref": ""
}
],
"AlertType": "System",
"Category": "ThreatManagement",
"Comments": "New alert",
"Data": "{\\"ts\\":\\"2024-12-05T00:07:53.0000000Z\\",\\"te\\":\\"2024-12-05T00:07:53.0000000Z\\",\\"tid\\":\\"string\\",\\"tdc\\":\\"1\\",\\"af\\":\\"0\\",\\"tht\\":\\"Phish, Malicious\\",\\"dtech\\":\\"MLModel\\",\\"als\\":\\"Protection\\",\\"op\\":\\"Protection\\",\\"wsrt\\":\\"0001-01-01T00:00:00\\",\\"mdt\\":\\"u\\",\\"rid\\":\\"x\\",\\"cid\\":\\"x\\",\\"ad\\":\\"This alert fires when message containing phish was delivered due to an ETR override. -V1.0.0.5\\",\\"lon\\":\\"Protection\\",\\"an\\":\\"Phish delivered due to an ETR override\\",\\"sev\\":\\"Informational\\"}",
"Name": "Phish delivered due to an ETR override",
"PolicyId": "x",
"Severity": "Informational",
"Source": "Office 365 Security & Compliance",
"Status": "Active"
}`
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.