Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Threat Module |
Detector Tags |
O365 DLP Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.
Attacker's Goals
An attacker is attempting to access sensitive information.
Investigative actions
- Review the details of the triggered DLP rule match.
Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity). - Follow further actions done by the account.
- Communicate with the user to verify the legitimacy of the triggered event.