{ "algorithms": { "GradientBoostingRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LinearRegression": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LogisticRegression": { "accuracy": 0, "f1_score": 0, "modelId": "", "precision": 0, "recall": 0, "recommended": false }, "RandomForestRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false } }, "description": "", "enabled": true, "entity_rules": [], "key": "da-itsi-cp-m365-m365-threat-detection", "kpis": [ { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "avg", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "1", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": 0.999, "anomaly_detection_training_window": "-7d", "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)`", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": false, "entity_filter_field": "", "entity_split_field": "", "entity_statop": "avg", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "fill_gaps": "null_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": false, "key": "SHKPI-da-itsi-cp-m365-m365-threat-detection", "kpi_base_search": "", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)` | stats latest(health_score) AS aggregate", "search_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)` | stats latest(health_score) AS aggregate", "search_alert": "", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": null, "search_occurrences": 1.0, "search_time_compare": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)` [| stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time))+ \" latest=\" + tostring(info_max_time) |fields search] | addinfo | eval bucket=if(_time0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))", "search_time_series": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)` | timechart avg(health_score) AS aggregate", "search_time_series_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-detection)` | timechart avg(health_score) AS aggregate", "search_time_series_entities": "", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": "", "threshold_field": "aggregate", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "ServiceHealthScore", "trending_ad": { "sensitivity": 8 }, "type": "service_health", "tz_offset": null, "unit": "", "urgency": 11.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when it identifies activity from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device\u2019s IP address, and may be used for malicious intent.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9, true, true, true)` | eval kpi=\"Activity from anonymous IP addresses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9, true, true, true)` | eval kpi=\"Activity from anonymous IP addresses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-2c1ee3c3072dc1a59d92d9c9)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from anonymous IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Activity from anonymous IP addresses", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or never visited by the user or by any user in the organization. Detecting anomalous locations necessitates an initial learning period of 7 days, during which it does not alert on any new locations.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9, true, true, true)` | eval kpi=\"Activity from infrequent country\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9, true, true, true)` | eval kpi=\"Activity from infrequent country\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-0c81b2d51abae61cec0ef3f9)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from infrequent country\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Activity from infrequent country", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when activity is detected from an IP address that has been identified as risky by Microsoft Threat Intelligence. These IP are involved in malicious activities, such as botnets C&C, and may indicate a compromised account.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-3add69e6499e96fbff2fe40d", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d, true, true, true)` | eval kpi=\"Activity from suspicious IP addresses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d, true, true, true)` | eval kpi=\"Activity from suspicious IP addresses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3add69e6499e96fbff2fe40d)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity from suspicious IP addresses\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Activity from suspicious IP addresses", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and alerts when a terminated user performs an activity in a sanctioned corporate application.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-70105ff25be7a7fa3667f158", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158, true, true, true)` | eval kpi=\"Activity performed by terminated user\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158, true, true, true)` | eval kpi=\"Activity performed by terminated user\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-70105ff25be7a7fa3667f158)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Activity performed by terminated user\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Activity performed by terminated user", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy is automatically enabled to alert you when a user or IP address is using an app that is not sanctioned to perform an activity that might be an attempt to exfilitrate information from your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-1179499a9bbe188261dc59b6", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6, true, true, true)` | eval kpi=\"Data exfiltration to unsanctioned apps\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6, true, true, true)` | eval kpi=\"Data exfiltration to unsanctioned apps\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1179499a9bbe188261dc59b6)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Data exfiltration to unsanctioned apps\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Data exfiltration to unsanctioned apps", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when activities are detected from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This could indicate that a different user is using the same credentials.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "host", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-94bdd447b34e462623ba7ad8", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"host\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(host, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8, true, true, true)` | eval kpi=\"Impossible travel\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"host\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"host\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(host, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8, true, true, true)` | eval kpi=\"Impossible travel\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"host\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"host\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"host\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"host\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-94bdd447b34e462623ba7ad8)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Impossible travel\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"host\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Impossible travel", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "When cybercriminals compromise valid passwords of legitimate users, they often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9da46ed16abfd5cbaedb709a", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a, true, true, true)` | eval kpi=\"Leaked credentials\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a, true, true, true)` | eval kpi=\"Leaked credentials\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9da46ed16abfd5cbaedb709a)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Leaked credentials\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Leaked credentials", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy uses Microsoft Threat Intelligence to scan OAuth apps connected to your environment and triggers an alert when it detects a potentially malicious app that has been authorized.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-6977aee5803a6401e3eeb079", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079, true, true, true)` | eval kpi=\"Malicious OAuth app consent\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079, true, true, true)` | eval kpi=\"Malicious OAuth app consent\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-6977aee5803a6401e3eeb079)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malicious OAuth app consent\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malicious OAuth app consent", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This detection scans files in your cloud apps and runs suspicious files through Microsoft\u2019s threat intelligence engine to determine whether they are associated with known malware.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-cea39bad8b93e87524d52526", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526, true, true, true)` | eval kpi=\"Malware detection\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526, true, true, true)` | eval kpi=\"Malware detection\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-cea39bad8b93e87524d52526)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware detection\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malware detection", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading name is detected. Misleading names, such as foreign letters that resemble Latin letters, could indicate an attempt to disguise a malicious app as a known and trusted app.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-f1dd06f3514cabf98288559d", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d, true, true, true)` | eval kpi=\"Misleading OAuth app name\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d, true, true, true)` | eval kpi=\"Misleading OAuth app name\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-f1dd06f3514cabf98288559d)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading OAuth app name\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Misleading OAuth app name", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy scans the OAuth apps connected to your environment and triggers an alert when an app with a misleading publisher name is detected.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-de58bc9bbc4768406116b8c4", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4, true, true, true)` | eval kpi=\"Misleading publisher name for an OAuth app\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4, true, true, true)` | eval kpi=\"Misleading publisher name for an OAuth app\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-de58bc9bbc4768406116b8c4)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Misleading publisher name for an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Misleading publisher name for an OAuth app", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple delete VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-b48c41aca99df54f077082c3", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3, true, true, true)` | eval kpi=\"Multiple delete VM activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3, true, true, true)` | eval kpi=\"Multiple delete VM activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-b48c41aca99df54f077082c3)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple delete VM activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Multiple delete VM activities", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple failed login activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-5c246ff1644c8289b88e1e00", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00, true, true, true)` | eval kpi=\"Multiple failed login attempts\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00, true, true, true)` | eval kpi=\"Multiple failed login attempts\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-5c246ff1644c8289b88e1e00)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple failed login attempts\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Multiple failed login attempts", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple storage deletion or DB deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-439461d009e2f0ff6ecf39b9", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9, true, true, true)` | eval kpi=\"Multiple storage deletion activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9, true, true, true)` | eval kpi=\"Multiple storage deletion activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-439461d009e2f0ff6ecf39b9)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple storage deletion activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Multiple storage deletion activities", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple create VM activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9, true, true, true)` | eval kpi=\"Multiple VM creation activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9, true, true, true)` | eval kpi=\"Multiple VM creation activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-3be36f063bddcaf8fc2cd0f9)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Multiple VM creation activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Multiple VM creation activities", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Identify malicious insider or compromised user by identifying entities which deviates from their profile baseline", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9a8fb91de176e372cf0e78be", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be, true, true, true)` | eval kpi=\"Preview: Investigation Priority Score Increased\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be, true, true, true)` | eval kpi=\"Preview: Investigation Priority Score Increased\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-9a8fb91de176e372cf0e78be)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Investigation Priority Score Increased\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Preview: Investigation Priority Score Increased", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple share report in Power BI activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e068b071c2ab0484b8e0088b", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b, true, true, true)` | eval kpi=\"Preview: Multiple Power BI report sharing activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b, true, true, true)` | eval kpi=\"Preview: Multiple Power BI report sharing activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e068b071c2ab0484b8e0088b)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Multiple Power BI report sharing activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Preview: Multiple Power BI report sharing activities", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when a user performs suspicious changes to the CloudTrail logging service in a single session, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-d201d46cdda4083443f8b146", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146, true, true, true)` | eval kpi=\"Preview: Suspicious change of CloudTrail logging service\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146, true, true, true)` | eval kpi=\"Preview: Suspicious change of CloudTrail logging service\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-d201d46cdda4083443f8b146)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious change of CloudTrail logging service\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Preview: Suspicious change of CloudTrail logging service", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when a user shared a Power BI report that may include sensitive information and may indicate a compromised account. The report was either shared with an external email address, published to the web, a snapshot was delivered to an externally subscribed email address.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4, true, true, true)` | eval kpi=\"Preview: Suspicious Power BI report sharing\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4, true, true, true)` | eval kpi=\"Preview: Suspicious Power BI report sharing\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e62b37aeba6eb6910d9b3fb4)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Preview: Suspicious Power BI report sharing\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Preview: Suspicious Power BI report sharing", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when an activity pattern is detected that is typical of a ransomware attack.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e255403f15e56c7362f54c5a", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a, true, true, true)` | eval kpi=\"Ransomware activity\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a, true, true, true)` | eval kpi=\"Ransomware activity\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e255403f15e56c7362f54c5a)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Ransomware activity\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Ransomware activity", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Azure Active Directory (Azure AD) detects suspicious actions that are related to your user accounts.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-39d7e3fb2f19c99fff964f71", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71, true, true, true)` | eval kpi=\"Risky sign-in\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71, true, true, true)` | eval kpi=\"Risky sign-in\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-39d7e3fb2f19c99fff964f71)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Risky sign-in\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Risky sign-in", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when a user performs suspicious email deletion activities in a single session, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c, true, true, true)` | eval kpi=\"Suspicious email deletion activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c, true, true, true)` | eval kpi=\"Suspicious email deletion activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-bc3fd6b828df45db7cf1c41c)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious email deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious email deletion activity (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when suspicious inbox forwarding rules are set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to exfiltrate information from your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5, true, true, true)` | eval kpi=\"Suspicious inbox forwarding\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5, true, true, true)` | eval kpi=\"Suspicious inbox forwarding\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-27c1e7c5de9f8f8f9259d2f5)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox forwarding\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious inbox forwarding", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "A suspicious inbox rule was set on a user's inbox. This may indicate that the user account is compromised, and that the mailbox is being used to distribute spam and malware in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-78c060e47fa9f2064318598d", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d, true, true, true)` | eval kpi=\"Suspicious inbox manipulation rule\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d, true, true, true)` | eval kpi=\"Suspicious inbox manipulation rule\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-78c060e47fa9f2064318598d)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious inbox manipulation rule\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious inbox manipulation rule", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy scans the OAuth apps connected to your environment and triggers an alert when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is uncommon for the user.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-33f7d1dfed53a52c8b23d636", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636, true, true, true)` | eval kpi=\"Suspicious OAuth app file download activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636, true, true, true)` | eval kpi=\"Suspicious OAuth app file download activities\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-33f7d1dfed53a52c8b23d636)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious OAuth app file download activities\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious OAuth app file download activities", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This detection policy profiles your environment and triggers alerts when users perform unusual addition of credentials to an OAuth app activities, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1, true, true, true)` | eval kpi=\"Unusual addition of credentials to an OAuth app\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1, true, true, true)` | eval kpi=\"Unusual addition of credentials to an OAuth app\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-dbd94f6bbdc658d6b777efc1)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual addition of credentials to an OAuth app\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual addition of credentials to an OAuth app", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple administrative activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-53826bcd8ecfef46793dce12", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12, true, true, true)` | eval kpi=\"Unusual administrative activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12, true, true, true)` | eval kpi=\"Unusual administrative activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-53826bcd8ecfef46793dce12)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual administrative activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual administrative activity (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple file deletion activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6, true, true, true)` | eval kpi=\"Unusual file deletion activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6, true, true, true)` | eval kpi=\"Unusual file deletion activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-1b5f52a6ba5583b91bcb7ee6)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file deletion activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual file deletion activity (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple file download activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-ee6e4dad771d573ea72ebde5", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5, true, true, true)` | eval kpi=\"Unusual file download (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5, true, true, true)` | eval kpi=\"Unusual file download (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-ee6e4dad771d573ea72ebde5)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file download (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual file download (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple file sharing activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-725a71f8dd373be182e37ce7", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7, true, true, true)` | eval kpi=\"Unusual file share activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7, true, true, true)` | eval kpi=\"Unusual file share activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-725a71f8dd373be182e37ce7)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual file share activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual file share activity (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "This policy profiles your environment and triggers alerts when users perform multiple impersonated activities in a single session with respect to the baseline learned, which could indicate an attempted breach.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e2bcc3f70d857a221996dfae", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae, true, true, true)` | eval kpi=\"Unusual impersonated activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-detection\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae, true, true, true)` | eval kpi=\"Unusual impersonated activity (by user)\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-detection\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-detection, da-itsi-cp-m365-e2bcc3f70d857a221996dfae)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual impersonated activity (by user)\" Operation=AlertTriggered | stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Detection", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual impersonated activity (by user)", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false } ], "service_tags": { "tags": [], "template_tags": [] }, "service_template_id": "", "services_depending_on_me": [ { "kpis_depending_on": [ "SHKPI-da-itsi-cp-m365-m365-threat-detection" ], "service_id": "da-itsi-cp-m365-m365-cloud-app-security" } ], "services_depends_on": [], "team_id": "default_itsi_security_group", "title": "M365_Threat Detection", "version": "0.0.33" }