M365 Defender Alerts Signal

Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support comprehensive threat detection.

Rule type: query
Rule indices:

logs-o365.audit-*
filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

Domain: Cloud
Domain: SaaS
Domain: Endpoint
Data Source: Microsoft 365
Data Source: Microsoft 365 Audit Logs
Data Source: Microsoft Defender for Endpoint
Data Source: Microsoft Defender for Cloud Apps
Data Source: Microsoft Defender for Identity
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Tactic: Defense Evasion
Rule Type: BBR

Version: 1
Rule authors:

Elastic

Rule license: Elastic License v2

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Rule Query

		event.dataset:o365.audit and
    event.code:(WDATPAlerts or MCASAlerts or MicrosoftDefenderForIdentityAudit or MS365DCustomDetection or DefenderExpertsforXDRAdmin)

Framework: MITRE ATT&CK

Tactic:
- Name: Initial Access
- Id: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/

Framework: MITRE ATT&CK

Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/

Framework: MITRE ATT&CK

Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/