{ "algorithms": { "GradientBoostingRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LinearRegression": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false }, "LogisticRegression": { "accuracy": 0, "f1_score": 0, "modelId": "", "precision": 0, "recall": 0, "recommended": false }, "RandomForestRegressor": { "RMSE": 0, "modelId": "", "rSquared": 0, "recommended": false } }, "description": "", "enabled": true, "entity_rules": [], "key": "da-itsi-cp-m365-m365-threat-management", "kpis": [ { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": "", "aggregate_statop": "avg", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": "", "alert_lag": "30", "alert_on": "both", "alert_period": "1", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": 0.999, "anomaly_detection_training_window": "-7d", "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)`", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": false, "entity_filter_field": "", "entity_split_field": "", "entity_statop": "avg", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": null, "severity_color": "#B50101", "severity_color_light": "#E5A6A6", "severity_label": "critical", "severity_label_localized": null, "severity_value": 6.0, "threshold_value": 0.0 }, { "dynamic_param": null, "severity_color": "#F26A35", "severity_color_light": "#FBCBB9", "severity_label": "high", "severity_label_localized": null, "severity_value": 5.0, "threshold_value": 20.0 }, { "dynamic_param": null, "severity_color": "#FCB64E", "severity_color_light": "#FEE6C1", "severity_label": "medium", "severity_label_localized": null, "severity_value": 4.0, "threshold_value": 40.0 }, { "dynamic_param": null, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": null, "severity_value": 3.0, "threshold_value": 60.0 }, { "dynamic_param": null, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": null, "severity_value": 2.0, "threshold_value": 80.0 } ] }, "fill_gaps": "null_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": false, "key": "SHKPI-da-itsi-cp-m365-m365-threat-management", "kpi_base_search": "", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)` | stats latest(health_score) AS aggregate", "search_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)` | stats latest(health_score) AS aggregate", "search_alert": "", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": null, "search_occurrences": 1.0, "search_time_compare": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)` [| stats count | addinfo | eval search= \"earliest=\" + tostring(info_min_time-(info_max_time-info_min_time))+ \" latest=\" + tostring(info_max_time) |fields search] | addinfo | eval bucket=if(_time0, \"increase\", if(window_delta < 0, \"decrease\", \"none\"))", "search_time_series": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)` | timechart avg(health_score) AS aggregate", "search_time_series_aggregate": "`get_full_itsi_summary_service_health_events(da-itsi-cp-m365-m365-threat-management)` | timechart avg(health_score) AS aggregate", "search_time_series_entities": "", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": "", "threshold_field": "aggregate", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#AED3E5", "base_severity_color_light": "#E3F0F6", "base_severity_label": "info", "base_severity_value": 1.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "ServiceHealthScore", "trending_ad": { "sensitivity": 8 }, "type": "service_health", "tz_offset": null, "unit": "", "urgency": 11.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when a user protected by Safe Links in your organization clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Office 365 or when users override the Safe Links pages (based on your organization's Microsoft 365 for business Safe Links policy).", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-335970fbaba5102dfcc7001e", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e, true, true, true)` | eval kpi=\"A potentially malicious URL click was detected\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e, true, true, true)` | eval kpi=\"A potentially malicious URL click was detected\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-335970fbaba5102dfcc7001e)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"A potentially malicious URL click was detected\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "A potentially malicious URL click was detected", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when an Admin Submission completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-2ef1fa92d295f04314c86998", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998, true, true, true)` | eval kpi=\"Admin Submission Result Completed\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998, true, true, true)` | eval kpi=\"Admin Submission Result Completed\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2ef1fa92d295f04314c86998)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin Submission Result Completed\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Admin Submission Result Completed", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-00d20a88bad4d66da569d8cd", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd, true, true, true)` | eval kpi=\"Admin triggered manual investigation of email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd, true, true, true)` | eval kpi=\"Admin triggered manual investigation of email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-00d20a88bad4d66da569d8cd)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Admin triggered manual investigation of email\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Admin triggered manual investigation of email", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-308db1b4e0a8b93083d63189", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189, true, true, true)` | eval kpi=\"Creation of forwarding/redirect rule\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189, true, true, true)` | eval kpi=\"Creation of forwarding/redirect rule\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-308db1b4e0a8b93083d63189)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Creation of forwarding/redirect rule\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Creation of forwarding/redirect rule", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone uses the Content search tool in the Security and compliance center.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-039b43cf4c7fc3823a5989b5", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5, true, true, true)` | eval kpi=\"eDiscovery search started or exported\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5, true, true, true)` | eval kpi=\"eDiscovery search started or exported\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-039b43cf4c7fc3823a5989b5)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"eDiscovery search started or exported\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "eDiscovery search started or exported", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when any messages containing malware are delivered to mailboxes in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1, true, true, true)` | eval kpi=\"Email messages containing malicious file removed after delivery\u200b\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1, true, true, true)` | eval kpi=\"Email messages containing malicious file removed after delivery\u200b\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-6543fc19e5b43a24acb4f9e1)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious file removed after delivery\u200b\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email messages containing malicious file removed after delivery\u200b", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when any messages containing phish are delivered to mailboxes in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf, true, true, true)` | eval kpi=\"Email messages containing malicious URL removed after delivery\u200b\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf, true, true, true)` | eval kpi=\"Email messages containing malicious URL removed after delivery\u200b\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-dcd5a864c27b4f1b0f4e6dcf)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malicious URL removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email messages containing malicious URL removed after delivery\u200b", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when any messages containing malware are delivered to mailboxes in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-c1181e5da7c68badae4466e7", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7, true, true, true)` | eval kpi=\"Email messages containing malware removed after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7, true, true, true)` | eval kpi=\"Email messages containing malware removed after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-c1181e5da7c68badae4466e7)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email messages containing malware removed after delivery\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email messages containing malware removed after delivery", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when any messages containing phish are delivered to mailboxes in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18, true, true, true)` | eval kpi=\"Email messages containing phish URLs removed after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18, true, true, true)` | eval kpi=\"Email messages containing phish URLs removed after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-e3d64fcd5f4743eae1c4fa18)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Email messages containing phish URLs removed after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email messages containing phish URLs removed after delivery", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when users in your organization report messages as phishing email using the Report Message add-in.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-35a40df6a4b5a4d655cf4066", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066, true, true, true)` | eval kpi=\"Email reported by user as malware or phish\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066, true, true, true)` | eval kpi=\"Email reported by user as malware or phish\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-35a40df6a4b5a4d655cf4066)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email reported by user as malware or phish\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email reported by user as malware or phish", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization has sent more mail than is allowed by the outbound spam policy.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c, true, true, true)` | eval kpi=\"Email sending limit exceeded\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c, true, true, true)` | eval kpi=\"Email sending limit exceeded\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4ecdcf1629fe1dbda1e73b2c)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Email sending limit exceeded\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Email sending limit exceeded", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-badccea130915197605e1250", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250, true, true, true)` | eval kpi=\"Failed exact data match upload\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250, true, true, true)` | eval kpi=\"Failed exact data match upload\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-badccea130915197605e1250)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Failed exact data match upload\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Failed exact data match upload", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9a98c6411cf1054c3ad37c23", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23, true, true, true)` | eval kpi=\"Form blocked due to potential phishing attempt\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23, true, true, true)` | eval kpi=\"Form blocked due to potential phishing attempt\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9a98c6411cf1054c3ad37c23)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form blocked due to potential phishing attempt\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Form blocked due to potential phishing attempt", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when a form created in Microsoft Forms from within your organization has been identified as potential phishing through Report Abuse and confirmed as phishing by Microsoft.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-b018769b1369129e8f467ab9", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9, true, true, true)` | eval kpi=\"Form flagged and confirmed as phishing\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9, true, true, true)` | eval kpi=\"Form flagged and confirmed as phishing\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b018769b1369129e8f467ab9)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Form flagged and confirmed as phishing\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Form flagged and confirmed as phishing", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-005c3f1e83457829d81f00f6", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6, true, true, true)` | eval kpi=\"Malware campaign detected after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6, true, true, true)` | eval kpi=\"Malware campaign detected after delivery\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-005c3f1e83457829d81f00f6)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware campaign detected after delivery\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malware campaign detected after delivery", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-af1f6fffe44ddaa3242707ad", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad, true, true, true)` | eval kpi=\"Malware campaign detected and blocked\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad, true, true, true)` | eval kpi=\"Malware campaign detected and blocked\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-af1f6fffe44ddaa3242707ad)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected and blocked\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malware campaign detected and blocked", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf, true, true, true)` | eval kpi=\"Malware campaign detected in SharePoint and OneDrive\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf, true, true, true)` | eval kpi=\"Malware campaign detected in SharePoint and OneDrive\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-b2e7e08b7c45daa9d2d1ffcf)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Malware campaign detected in SharePoint and OneDrive\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malware campaign detected in SharePoint and OneDrive", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-494e7910f769e401e422bd22", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22, true, true, true)` | eval kpi=\"Malware not zapped because ZAP is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22, true, true, true)` | eval kpi=\"Malware not zapped because ZAP is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-494e7910f769e401e422bd22)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Malware not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Malware not zapped because ZAP is disabled", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-fbf479a0530fe57af9776410", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410, true, true, true)` | eval kpi=\"MIP AutoLabel simulation completed\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410, true, true, true)` | eval kpi=\"MIP AutoLabel simulation completed\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-fbf479a0530fe57af9776410)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"MIP AutoLabel simulation completed\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "MIP AutoLabel simulation completed", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when Microsoft detects a user\u2019s Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4, true, true, true)` | eval kpi=\"Phish delivered because a user's Junk Mail Folder is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4, true, true, true)` | eval kpi=\"Phish delivered because a user's Junk Mail Folder is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9fa342e6bd6fa0c75ecfd9e4)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Phish delivered because a user's Junk Mail Folder is disabled\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Phish delivered because a user's Junk Mail Folder is disabled", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84, true, true, true)` | eval kpi=\"Phish delivered due to an ETR override\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84, true, true, true)` | eval kpi=\"Phish delivered due to an ETR override\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-ff3e9770c49ed7a45ffe3b84)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an ETR override\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Phish delivered due to an ETR override", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9de0cedd8cad34b312b6c607", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607, true, true, true)` | eval kpi=\"Phish delivered due to an IP allow policy\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607, true, true, true)` | eval kpi=\"Phish delivered due to an IP allow policy\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9de0cedd8cad34b312b6c607)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish delivered due to an IP allow policy\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Phish delivered due to an IP allow policy", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7, true, true, true)` | eval kpi=\"Phish not zapped because ZAP is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7, true, true, true)` | eval kpi=\"Phish not zapped because ZAP is disabled\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-5bf5606cfaaf9f1e1906e0c7)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Phish not zapped because ZAP is disabled\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Phish not zapped because ZAP is disabled", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-d9f19da945babcdba8476088", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088, true, true, true)` | eval kpi=\"Remediation action taken by admin on emails or URL or sender\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088, true, true, true)` | eval kpi=\"Remediation action taken by admin on emails or URL or sender\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-d9f19da945babcdba8476088)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Remediation action taken by admin on emails or URL or sender\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Remediation action taken by admin on emails or URL or sender", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-2fd6695634044151e6a32eee", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee, true, true, true)` | eval kpi=\"Successful exact data match upload\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee, true, true, true)` | eval kpi=\"Successful exact data match upload\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-2fd6695634044151e6a32eee)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Successful exact data match upload\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Successful exact data match upload", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization has autoforwarded email to a suspicious external account.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-34b5cb3b724026b9e1e052d0", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0, true, true, true)` | eval kpi=\"Suspicious Email Forwarding Activity\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0, true, true, true)` | eval kpi=\"Suspicious Email Forwarding Activity\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-34b5cb3b724026b9e1e052d0)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Suspicious Email Forwarding Activity\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious Email Forwarding Activity", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4, true, true, true)` | eval kpi=\"Suspicious email sending patterns detected\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4, true, true, true)` | eval kpi=\"Suspicious email sending patterns detected\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-4e404594ca7f78ca1d5d0ab4)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"Suspicious email sending patterns detected\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Suspicious email sending patterns detected", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending email.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f, true, true, true)` | eval kpi=\"Tenant restricted from sending email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f, true, true, true)` | eval kpi=\"Tenant restricted from sending email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-8523be4e51e4d22cd0adfc5f)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Tenant restricted from sending email", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-7dd5b60d312252feaf09984f", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f, true, true, true)` | eval kpi=\"Tenant restricted from sending unprovisioned email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f, true, true, true)` | eval kpi=\"Tenant restricted from sending unprovisioned email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7dd5b60d312252feaf09984f)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Tenant restricted from sending unprovisioned email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Tenant restricted from sending unprovisioned email", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-9f412f2ba47006224e7f1bbb", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb, true, true, true)` | eval kpi=\"Unusual increase in email reported as phish\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb, true, true, true)` | eval kpi=\"Unusual increase in email reported as phish\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-9f412f2ba47006224e7f1bbb)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"Unusual increase in email reported as phish\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "Unusual increase in email reported as phish", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization is restricted from sending outbound mail.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-a5b963ff18821c61b301f437", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437, true, true, true)` | eval kpi=\"User restricted from sending email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437, true, true, true)` | eval kpi=\"User restricted from sending email\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-a5b963ff18821c61b301f437)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Name=\"User restricted from sending email\" Operation=AlertTriggered\n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "User restricted from sending email", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false }, { "adaptive_thresholding_training_window": "-7d", "adaptive_thresholds_is_enabled": false, "aggregate_eval": null, "aggregate_statop": "sum", "aggregate_threshold_alert_enabled": false, "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "aggregate_thresholds_alert_enabled": false, "aggregate_thresholds_custom_alert_enabled": false, "aggregate_thresholds_custom_alert_rules": [], "alert_eval": null, "alert_lag": "30", "alert_on": "both", "alert_period": "15", "anomaly_detection_alerting_enabled": false, "anomaly_detection_is_enabled": false, "anomaly_detection_sensitivity": null, "anomaly_detection_training_window": null, "backfill_earliest_time": "-7d", "backfill_enabled": false, "base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId", "base_search_id": null, "base_search_metric": null, "cohesive_ad": { "sensitivity": 8 }, "cohesive_anomaly_detection_is_enabled": false, "datamodel": { "datamodel": "", "field": "", "object": "", "owner_field": "" }, "datamodel_filter": [], "datamodel_filter_clauses": null, "description": "Generates an alert when someone in your organization has been restricted from sharing forms and collecting responses using Microsoft Forms due to detected repeated phishing attempt behavior.", "enabled": true, "entity_filter_field": "host", "entity_split_field": "OrganizationId", "entity_statop": "sum", "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 1, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [ { "dynamic_param": 0.0, "severity_color": "#99D18B", "severity_color_light": "#DCEFD7", "severity_label": "normal", "severity_label_localized": "Normal", "severity_value": 2.0, "threshold_value": 0.0 }, { "dynamic_param": 0.0, "severity_color": "#FFE98C", "severity_color_light": "#FFF4C5", "severity_label": "low", "severity_label_localized": "Low", "severity_value": 3.0, "threshold_value": 1.0 } ] }, "fill_gaps": "custom_value", "gap_custom_alert_value": 0.0, "gap_severity": "unknown", "gap_severity_color": "#CCCCCC", "gap_severity_color_light": "#EEEEEE", "gap_severity_value": "-1", "is_filter_entities_to_service": false, "is_split_by_entity": true, "key": "da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3", "kpi_base_search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId", "kpi_template_kpi_id": "", "kpi_threshold_template_id": "", "metric_qualifier": null, "metric_search_spec": { "metric_index": "", "metric_name": "" }, "search": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3, true, true, true)` | eval kpi=\"User restricted from sharing forms and collecting responses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3)`", "search_alert": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_entity(sum, count, \"OrganizationId\")` | eval sec_grp = \"default_itsi_security_group\" | `match_entities(OrganizationId, sec_grp)` | eval serviceid = \"da-itsi-cp-m365-m365-threat-management\" | `aggregate_entity_into_service(sum)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3, true, true, true)` | eval kpi=\"User restricted from sharing forms and collecting responses\", urgency=\"5\", alert_period=\"15\", serviceid=\"da-itsi-cp-m365-m365-threat-management\" | `assess_urgency` | `gettime`", "search_alert_earliest": "15", "search_alert_entities": "", "search_buckets": "", "search_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_single_value(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3)`", "search_occurrences": 1.0, "search_time_compare": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_and_compare(sum, sum, count, \"OrganizationId\", 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3)`", "search_time_series": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3)`", "search_time_series_aggregate": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_entity_time_series(sum, count, \"OrganizationId\", 15)` | `aggregate_entity_into_service_time_series(sum, 15)` | `assess_severity(da-itsi-cp-m365-m365-threat-management, da-itsi-cp-m365-7ca96b5a3c7a8582ea11f1b3)`", "search_time_series_entities": "`m365_cp_default_index` RecordTypeName=SecurityComplianceAlerts Status=Active Operation=AlertTriggered Name=\"User restricted from sharing forms and collecting responses\" \n| stats count by OrganizationId | `aggregate_raw_into_limited_entity_time_series(sum, count, \"OrganizationId\", 15)`", "search_type": "adhoc", "service_title": "M365_Threat Management", "threshold_eval": null, "threshold_field": "count", "time_policies": { "policies": { "default_policy": { "aggregate_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "entity_thresholds": { "base_severity_color": "#99D18B", "base_severity_color_light": "#DCEFD7", "base_severity_label": "normal", "base_severity_value": 2.0, "gauge_max": 100, "gauge_min": 0, "is_max_static": false, "is_min_static": true, "metric_field": "count", "render_boundary_max": 100.0, "render_boundary_min": 0.0, "threshold_levels": [] }, "policy_type": "static", "time_blocks": [], "title": "Default" } } }, "title": "User restricted from sharing forms and collecting responses", "trending_ad": { "sensitivity": 8 }, "type": "kpis_primary", "tz_offset": null, "unit": "", "urgency": 5.0, "use_time_policies": false } ], "service_tags": { "tags": [], "template_tags": [] }, "service_template_id": "", "services_depending_on_me": [ { "kpis_depending_on": [ "SHKPI-da-itsi-cp-m365-m365-threat-management" ], "service_id": "da-itsi-cp-m365-m365-security-and-compliance-alerts" } ], "services_depends_on": [], "team_id": "default_itsi_security_group", "title": "M365_Threat Management", "version": "0.0.33" }