We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault weekly releases. Just like Microsoft's Patch Tuesday, the DARC Vault serves as a reliable source for enhanced security content, enabling our users to stay ahead of evolving threats.
Each week, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This week, we are excited to announce a significant update focused on Microsoft 365. Our enhancements are designed to provide our users with advanced functionalities that improve performance and security monitoring across their environments.
This week’s content release emphasizes comprehensive security visibility and proactive threat detection across Microsoft 365 services. Below is a summary of the new additions and improvements:
Summary of Weekly Improvements
|
Content-Type |
Actions |
Count |
|
Detections |
New |
32 |
|
Enhanced |
37 |
|
|
Dashboards |
New |
2 |
|
Reports |
New |
2 |
New Detections
We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault weekly releases. Just like Microsoft's Patch Tuesday, the DARC Vault serves as a reliable source for enhanced security content, enabling our users to stay ahead of evolving threats.
|
# |
Name |
Description |
|
1 |
Exchange Malware Filter Policy Deletion |
Monitors and alerts on the deletion of malware filter policies within Exchange. |
|
2 |
Microsoft 365 Exchange Malware Filter Rule Modification |
Tracks modifications to malware filter rules. |
|
3 |
Exchange Safe Attachment Rule Disabled |
Alerts on disabled safe attachment rules. |
|
4 |
Exchange Management Group Role Assignment |
Monitors role assignments within Exchange management groups. |
|
5 |
Email Sent Success - External Users Only |
Tracks successful emails sent to external users. |
|
6 |
External Domain Inbox Rule Alteration |
Monitors alterations to inbox rules affecting external domains. |
|
7 |
Exchange DLP Policy Removed |
Alerts on the removal of data loss prevention (DLP) policies. |
|
8 |
MS-O365 Email Threat Activity |
Monitors email activities related to identified threats. |
|
9 |
Microsoft 365 Exchange Anti-Phish Rule Modification |
Tracks modifications to anti-phishing rules. |
|
10 |
Exchange Transport Rule Creation |
Alerts on the creation of transport rules. |
|
11 |
Potential Password Spraying of Microsoft 365 Accounts |
Monitors for potential password spraying attempts. |
|
12 |
Exchange Transport Rule Modification |
Tracks modifications to transport rules. |
|
13 |
Microsoft 365 Teams Custom Application Interaction Allowed |
Monitors interactions with custom applications in Teams. |
|
14 |
Exchange Anti-Phish Policy Deletion |
Alerts on the deletion of anti-phishing policies. |
|
15 |
SharePoint Malware File Upload |
Monitors for malware uploads to SharePoint. |
|
16 |
OneDrive Malware File Upload |
Tracks malware uploads to OneDrive. |
|
17 |
Microsoft 365 Teams External Access Enabled |
Alerts on enabling external access in Teams. |
|
18 |
Unusual Volume of File Deletion |
Monitors for unusual patterns of file deletion. |
|
19 |
Mailbox Audit Logging Bypass |
Alerts on bypasses of mailbox audit logging. |
|
20 |
Global Administrator Role Assigned |
Monitors assignments to global administrator roles. |
|
21 |
Potential ransomware activity |
Alerts on activity indicative of potential ransomware. |
|
22 |
Attempts to Brute Force a Microsoft 365 User Account |
Monitors for brute force login attempts on user accounts. |
|
23 |
User Restricted from Sending Email |
Alerts when a user is restricted from sending emails. |
|
24 |
URL Detonation Detection |
Monitors for malicious URLs and detonation attempts. |
|
25 |
Mailbox Right Delegation |
Tracks delegation of mailbox rights. |
|
26 |
Email Threat Detected |
Alerts on detected email threats. |
|
27 |
O365 Excessive Single Sign-On Logon Errors |
Monitors excessive SSO logon errors. |
|
28 |
Microsoft 365 Teams Guest Access Enabled |
Alerts on enabling guest access in Teams. |
|
29 |
Microsoft 365 Exchange Safe Link Policy Disabled |
Monitors when safe link policies are disabled. |
|
30 |
Microsoft 365 Exchange DKIM Signing Configuration Disabled |
Alerts when DKIM signing is disabled. |
|
31 |
Malware Detected on Host |
Monitors for malware detections on hosts. |
|
32 |
New or Modified Federation Domain |
Alerts on changes to federation domains. |
New Dashboards
|
Name |
Description |
Value Proposition |
|
Microsoft - Office365 - Account and Policy Management |
Provides insights into account and policy configurations within Microsoft 365. |
Facilitates visibility into user permissions and policy adherence. |
|
Microsoft - Office365 - Monitoring Insights |
Aggregates monitoring insights across Microsoft 365 services. |
Enhances situational awareness for security teams. |
New Reports
|
Name |
Description |
Value Proposition |
|
Microsoft - Office365 - Monitoring Report |
Comprehensive report on monitoring activities and alerts in Microsoft 365. |
Provides detailed insights for compliance and security audits. |
|
Microsoft - Office365 - Security Report |
Summary of security incidents and metrics in Microsoft 365. |
Enhances understanding of security posture over time. |
Enhancements to Existing Content
This week, we also enhanced several existing OOTB detections to improve their effectiveness and responsiveness. Below is the list of updated/enhanced content:
|
Content-Type |
Name |
|
Detections |
Protocol or Port Mismatch |
|
Detections |
Clients Connecting to Multiple DNS Servers |
|
Detections |
Multiple Successful Logins from Different Countries |
|
Detections |
PPTP Activity |
|
Detections |
RDP from the Internet |
|
Detections |
Detect Large Outbound ICMP Packets |
|
Detections |
Protocol or Port Mismatch - Custom |
|
Detections |
Detect Outbound SMB Traffic |
|
Detections |
High DNS Requests From Same Source |
|
Detections |
FTP Activity to the Internet |
|
Detections |
FortiGate VPN SSL User Login Failed |
|
Detections |
Telegram Bot API Request |
|
Detections |
Brute Force Access |
|
Detections |
SMTP to the Internet |
|
Detections |
User Connected to Large Number of Systems |
|
Detections |
Failed Config Changes by Same User |
|
Detections |
DNS NXDOMAIN Flood |
|
Detections |
SSH from the Internet |
|
Detections |
Logins to Same System from Multiple Sources |
|
Detections |
Multiple Login Failures From A Disabled Account |
|
Detections |
Proxy Port Activity to the Internet |
|
Detections |
IPSEC NAT Traversal Port Activity |
|
Detections |
Login Failure From Expired Account |
|
Detections |
Database Remote Login Success |
|
Detections |
High Denied Traffic Within Short Period |
|
Detections |
Cryptocurrency Mining Network Communication |
|
Detections |
Successful Login from Compromised User |
|
Detections |
Distributed DOS Attack |
|
Detections |
Concurrent Logins from Multiple Sources |
|
Detections |
SMTP on Port 26 TCP |
|
Detections |
File Uploaded With Public Access |
|
Detections |
IRC Protocol Activity to the Internet |
|
Detections |
Successful Login From a Compromised Host |
|
Detections |
Admin User Remote Logon Detected |
|
Detections |
RPC from the Internet |
|
Detections |
RDP to the Internet |