| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1548 | Abuse Elevation Control Mechanism |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Abuse Elevation Control Mechanism attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1548.005 | Temporary Elevated Cloud Access |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1087 | Account Discovery |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Account Discovery attacks due to the File and Page Audit Log activities which monitors for access to file resources that contain local accounts and groups information and looks for non-admin objects (such as users or processes) attempting to access restricted file resources.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1087.004 | Cloud Account |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Cloud Account attacks due to Audit Solution allowing admins to search and routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1059 | Command and Scripting Interpreter |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Command and Scripting Interpreter attacks due to Audit Solutions providing the visibility to monitor log files for process execution and monitor contextual data about a running process.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1059.009 | Cloud API |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Cloud API attacks due to Audit Solutions providing the visibility to review command history and history of executed API commands in cloud audit logs to determine if unauthorized or suspicious commands were executed.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1530 | Data from Cloud Storage |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Data from Cloud Storage attacks due to Audit Solutions providing the visibility to frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1213 | Data from Information Repositories |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1213.002 | Sharepoint |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1114 | Email Collection |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Email Collection attacks due to in an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1114.002 | Remote Email Collection |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Remote Email Collection attacks due to in O365 environments, admins can consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1114.003 | Email Forwarding Rule |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Email Forwarding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1606 | Forge Web Credentials |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Forge Web Credential attacks due to Audit Solutions providing the visibility to allow administrators to perform an audit of all access lists and the permissions they have been granted to access web applications and services.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1564 | Hide Artifacts |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Hide Artifacts attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1564.008 | Email Hiding Rules |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Email Hiding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1546 | Event Triggered Execution |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Event Triggered Execution attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1562 | Impair Defenses |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Impair Defense attacks due to Audit Solutions providing the visibility to allow admins to routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1562.008 | Disable or Modify Cloud Logs |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Disable or Modify Cloud Log attacks due to the user administration Audit Log activities which monitors for changes to account settings associated with users that may impact defensive logging capabilities.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1070 | Indicator Removal |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1070.008 | Clear Mailbox Data |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Clear Mailbox Data Rule attacks due to administrators can use use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1556 | Modify Authentication Process |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1556.006 | Multi-Factor Authentication |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Multi-Factor Authentication attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | detect | partial | T1566 | Phishing |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions detects Phishing attacks due to the File and Page Audit Log activities which monitors for newly constructed files from phishing messages.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1566.002 | Spearphishing Link |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Spearphishing Link Process attacks due to Audit Solutions providing the visibility to allow admins to audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1528 | Steal Application Access Token |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1552 | Unsecured Credentials |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Unsecured Credential attacks due to Audit Solutions providing the visibility to allow admins to preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1552.008 | Chat Messages |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Chat Messages attacks due to Audit Solutions providing the visibility to allow admins to preemptively search through communication services to find shared unsecured credentials.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1078 | Valid Accounts |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Valid Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.
License Requirements:
Microsoft 365 E3 and E5
References
|
| PUR-AS-E5 | Audit Solutions | protect | partial | T1078.004 | Cloud Accounts |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Cloud Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.
License Requirements:
Microsoft 365 E3 and E5
References
|