Skip to content

Commit db9a69d

Browse files
authored
Update and rename o365_excessive_os_vendors_authenticating_from_user.yml to o365_multiple_os_vendors_authenticating_from_user.yml
rename to align with existing similar detections
1 parent 7186803 commit db9a69d

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

detections/cloud/o365_excessive_os_vendors_authenticating_from_user.yml renamed to detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: O365 Excessive OS Vendors Authenticating From User
1+
name: O365 Multiple OS Vendors Authenticating From User
22
id: 3451e58a-9457-4985-a600-b616b0cbfda1
33
version: 1
44
date: '2024-12-19'
@@ -16,7 +16,7 @@ search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)
1616
| eval src = ClientIP, user = UserId
1717
| `security_content_ctime(firstTime)`
1818
| `security_content_ctime(lastTime)`
19-
| `o365_excessive_os_vendors_authenticating_from_user_filter`'
19+
| `o365_multiple_os_vendors_authenticating_from_user_filter`'
2020
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
2121
known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly.
2222
references:
@@ -54,7 +54,7 @@ tags:
5454
- name: user
5555
type: User
5656
role:
57-
- Victim
57+
- Attacker
5858
product:
5959
- Splunk Enterprise
6060
- Splunk Enterprise Security

0 commit comments

Comments
 (0)