O365 Rules
  • 26 Jan 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

O365 Rules

  • Dark
    Light

Article summary

Soteria's O365 ruleset provides coverage across O365 (aka M365) telemetry streams. The ruleset is designed for in-depth analysis of the Office 365 ecosystem which includes:

  • Teams
  • Word
  • Excel
  • PowerPoint
  • Outlook
  • OneDrive
  • ...and other productivity applications.
Data access

Please note that Soteria won’t get access to your data, and you won’t be able to see or edit their rules - LimaCharlie acts as a broker between the two parties.

To leverage detection logic provided by the ruleset:

  1. Subscribe your tenant to the Soteria Office 365 ruleset extension
  2. Subscribe your tenant to tor lookup (provided at no cost).
  3. Configure Office 365 Sensor to start collecting Office 365 audit logs.

Enabling Soteria's O365 Rules

Soteria's O365 rules can be activated via two means.

Activating via the Web UI

To enable Soteria's O365 ruleset, navigate to the Extensions section of the Add-On Marketplace and search for Soteria. You can also directly select soteria-rules-o365.

image.png

Please note: Pricing may reflect when the screenshot was taken, not the actual pricing

Under the Organization dropdown, select a tenant (organization) you want to subscribe to Soteria O365 rules and click Subscribe.

image.png

You can also manage add-ons from the Subscriptions menu under Billing.

image.png

Organizations that have been subscribed to Soteria's O365 rules will be marked with a green check mark in the Organization dropdown.

Infrastructure as Code

Alternatively, to manage tenants and LimaCharlie functionality at scale, you can leverage our Infrastructure as Code functionality.


Was this article helpful?

What's Next