M365 Purview Insider Risk Signal
Identifies Microsoft Purview Insider Risk Management signals including alerts, cases, scoped user insights, HR signals, and physical badging signals. These events indicate potential insider threats, compromised user accounts, or anomalous user behavior patterns detected by Microsoft's behavioral analytics. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of insider threats and account compromise.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:
- https://learn.microsoft.com/en-us/purview/insider-risk-management
- https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Purview
- Data Source: Microsoft Purview Insider Risk
- Use Case: Threat Detection
- Use Case: Insider Threat Detection
- Tactic: Collection
- Tactic: Exfiltration
- Tactic: Impact
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
For information on troubleshooting the maximum alerts warning please refer to this guide.
event.dataset:o365.audit and
event.code:(PurviewInsiderRiskCases or PurviewInsiderRiskAlerts or InsiderRiskScopedUserInsights or InsiderRiskScopedUsers or InformationWorkerProtection or HRSignal or PhysicalBadgingSignal)
Framework: MITRE ATT&CK
- Tactic:
- Name: Collection
- Id: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
Framework: MITRE ATT&CK
- Tactic:
- Name: Exfiltration
- Id: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Framework: MITRE ATT&CK
- Tactic:
- Name: Impact
- Id: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/