Skip to main content

Hi 

Can i build a spam/phishing alert using o365 audit exchange logs ? 

 

Hi @rahul7514 ,

https://learn.microsoft.com/en-us/purview/alert-policies

Yes you can. The M365 Activity logs will generate a specific event with the operation `AlertTriggered`for any of the above policies.

The default parser should be mapping this to metadata.product_event_type = "AlertTriggered"

There are a few phishing ones included, just need to make sure they are enabled in your purview console and you have the correct licensing.

Here is sample sanitized payload

 

{
"CreationTime": "2024-12-05T00:08:34",
"Id": "string",
"Operation": "AlertTriggered",
"OrganizationId": "string",
"RecordType": 40,
"ResultStatus": "Succeeded",
"UserKey": "SecurityComplianceAlerts",
"UserType": 4,
"Version": 1,
"Workload": "SecurityComplianceCenter",
"ObjectId": "string",
"UserId": "SecurityComplianceAlerts",
"AlertId": "string",
"AlertLinks": [
{
"AlertLinkHref": ""
}
],
"AlertType": "System",
"Category": "ThreatManagement",
"Comments": "New alert",
"Data": "{\\"ts\\":\\"2024-12-05T00:07:53.0000000Z\\",\\"te\\":\\"2024-12-05T00:07:53.0000000Z\\",\\"tid\\":\\"string\\",\\"tdc\\":\\"1\\",\\"af\\":\\"0\\",\\"tht\\":\\"Phish, Malicious\\",\\"dtech\\":\\"MLModel\\",\\"als\\":\\"Protection\\",\\"op\\":\\"Protection\\",\\"wsrt\\":\\"0001-01-01T00:00:00\\",\\"mdt\\":\\"u\\",\\"rid\\":\\"x\\",\\"cid\\":\\"x\\",\\"ad\\":\\"This alert fires when message containing phish was delivered due to an ETR override. -V1.0.0.5\\",\\"lon\\":\\"Protection\\",\\"an\\":\\"Phish delivered due to an ETR override\\",\\"sev\\":\\"Informational\\"}",
"Name": "Phish delivered due to an ETR override",
"PolicyId": "x",
"Severity": "Informational",
"Source": "Office 365 Security & Compliance",
"Status": "Active"
}`

 


Reply