Defender for Office 365 threat intelligence events M365-ThreatIntelligence

2 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-ThreatIntelligence rules matching the RecordType but no specific Operation.
TIMailData	Threat-intelligence data was recorded for a mail message by Microsoft Defender for Office 365 (malware/phish verdict surfaced in the threat-intelligence stream).

_catch_all: Defender for Office 365 threat intelligence events (catch-all)

RecordType: M365-ThreatIntelligence

Description

Catch-all for M365-ThreatIntelligence rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Threat Intelligence Signal source low: Identifies Microsoft 365 audit logs generated for Threat Intelligence signals by Microsoft Defender for Office 365. This includes phishing and malware events, campaign-related threat detections, file-based threats in SharePoint, OneDrive, and Teams, as well as Microsoft Threat Intelligence Center (MSTIC) signals. These events provide early indicators of compromise attempts and can be correlated with other signals for threat hunting and detection.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

TIMailData

RecordType: M365-ThreatIntelligence

Description

Threat-intelligence data was recorded for a mail message by Microsoft Defender for Office 365 (malware/phish verdict surfaced in the threat-intelligence stream).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	eq	`TIMailData`	1 rule	sigma, splunk
`Workload`	eq	`ThreatIntelligence`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Suspicious Email Delivered In Microsoft 365 source medium: Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder. It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Defender for Office 365 threat intelligence events M365-ThreatIntelligence

_catch_all: Defender for Office 365 threat intelligence events (catch-all)

Description

Fields #

Detection Rules #

Elastic #

References #

TIMailData

Description

Fields #

Common Indicators #

Detection Rules #

Sigma #

References #

Keyboard shortcuts

Search operators