Loading

M365 Purview Security Compliance Signal

Collects alerts generated by Microsoft Purview (formerly Office 365 Security & Compliance Center) through the SecurityComplianceCenter provider. These alerts represent policy violations, compliance issues, and threats detected by Microsoft Purview's built-in detection capabilities including DLP policy matches, eDiscovery actions, retention policy violations, and other compliance-related events. This building block rule generates security events for correlation, threat hunting, and telemetry collection without creating standalone alerts, reducing alert fatigue while maintaining comprehensive visibility into Microsoft Purview's compliance and security detections.

Rule type: query
Rule indices:

  • logs-o365.audit-*
  • filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Data Source: Microsoft Purview
  • Use Case: Threat Detection
  • Use Case: Compliance Monitoring
  • Tactic: Initial Access
  • Tactic: Credential Access
  • Tactic: Collection
  • Tactic: Exfiltration
  • Tactic: Impact
  • Rule Type: BBR

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

For information on troubleshooting the maximum alerts warning please refer to this guide.

event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.code:SecurityComplianceAlerts

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK