From dc03849d08badf7412c75a01ef864921fe063696 Mon Sep 17 00:00:00 2001 From: developutm Date: Fri, 12 Jun 2026 18:52:04 +0000 Subject: [PATCH] feat(rules/o365): add Audit Log Purge detection rule --- rules/office365/o365-audit-log-purge.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/office365/o365-audit-log-purge.yml diff --git a/rules/office365/o365-audit-log-purge.yml b/rules/office365/o365-audit-log-purge.yml new file mode 100644 index 000000000..bb255dae4 --- /dev/null +++ b/rules/office365/o365-audit-log-purge.yml @@ -0,0 +1,22 @@ +# Rule version v1.0.0 + +name: O365 Audit Log Purge +description: | + Detects attempts to purge, delete, or remove audit log data from Office 365. + Attackers commonly destroy audit evidence to cover their tracks after compromising + an environment. Detection of audit log deletion activities is a strong indicator + of an active adversary attempting to evade detection and hinder incident response. +category: "Defense Evasion" +technique: "T1070 - Indicator Removal" +references: + - "https://attack.mitre.org/techniques/T1070/" +dataTypes: + - o365 +adversary: origin +impact: + confidentiality: 2 + integrity: 3 + availability: 0 +where: oneOf("action", ["DSIPurgeStarted", "AuditSearchDeleted", "HardDelete"]) +groupBy: + - adversary.user