Loading

M365 Security Compliance Admin Signal

Identifies administrative actions in the Microsoft 365 Security & Compliance Center including cmdlet execution, RBAC changes, security insights, and user permission modifications. These events can indicate legitimate administrative activity or potential defense evasion through security control modifications such as DLP policy removal, compliance rule changes, or privilege escalation. This building block rule generates security events for correlation, threat hunting, and telemetry collection.

Rule type: query
Rule indices:

  • logs-o365.audit-*
  • filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Data Source: Microsoft Purview
  • Use Case: Threat Detection
  • Use Case: Configuration Auditing
  • Tactic: Defense Evasion
  • Tactic: Persistence
  • Rule Type: BBR

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

For information on troubleshooting the maximum alerts warning please refer to this guide.

event.dataset:o365.audit and
    event.code:(SecurityComplianceCenterEOPCmdlet or SecurityComplianceInsights or SecurityComplianceRBAC or SecurityComplianceUserChange)

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK