4. Detection Methods
The detection logic below is defender-operable guidance. Where logic is directly supported by a documented case or primary source, it is cited. Where the correlation is an engineering synthesis, it is marked [Inferred].
Environment Validation Required
- Windows Event IDs listed below are standard audit policy outputs; they require correct audit policy configuration and are not produced by default on all systems.
- Validate all event IDs and M365 operation names in your environment — audit policy settings, licence tier, and tenant configuration affect what is actually generated.
- Specific thresholds listed are illustrative starting points; production values must be calibrated to your environment.
Detection Method Index
| Section | Method Class | Deployment Tier |
|---|---|---|
| 4.1 Deterministic Rules | Fire on specific artefact patterns with near-zero legitimate prevalence | Tier 1 — Deploy first |
| 4.2 Behavioural Heuristics | Require baseline period; catch "authorised but abnormal" behaviour | Tier 2–3 |
| 4.3 Identity & Privilege Anomalies | Privileged account creation, access creep, lateral movement | Tier 1–2 |
| 4.4 Exfiltration Path Coverage | All meaningful exfiltration channels | Tier 1–3 |
| 4.5 Sabotage Signals | Control-plane monitoring for destructive actions | Tier 1–2 |
| 4.6 UEBA and Anomaly Models | Entity risk scoring, peer clustering, ML models | Tier 3–4 |
| 4.7 Covering-Tracks Detection | Phase 6 second detection opportunity | Tier 1 |