M365 Purview DLP Signal

Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts, policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of collection and exfiltration activities.

Rule type: query
Rule indices:

• logs-o365.audit-*
• filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp
• https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32

Tags:

• Domain: Cloud
• Domain: SaaS
• Data Source: Microsoft 365
• Data Source: Microsoft 365 Audit Logs
• Data Source: Microsoft Purview
• Data Source: Microsoft Purview DLP
• Use Case: Threat Detection
• Use Case: Data Protection
• Tactic: Collection
• Tactic: Exfiltration
• Rule Type: BBR

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

For information on troubleshooting the maximum alerts warning please refer to this guide.

event.dataset:o365.audit and
    event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)
		

Framework: MITRE ATT&CK

• Tactic:
  • Name: Collection
  • Id: TA0009
  • Reference URL: https://attack.mitre.org/tactics/TA0009/

Framework: MITRE ATT&CK

• Tactic:
  • Name: Exfiltration
  • Id: TA0010
  • Reference URL: https://attack.mitre.org/tactics/TA0010/