[New Rule] Microsoft UAL Security-Related Building-Block Signals (#5746)

* pushing new BBR rules for M365 UAL

* adjusted rule UUIDs

* added max threshold notes

* added mitre mapping

* adjusted from; added ignore BBR timing restriction

rules_building_block/collection_microsoft_purview_dlp_signal.toml

@@ -0,0 +1,69 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview
+across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts,
+policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule
+generates security events for correlation, threat hunting, and telemetry collection to support detection of collection
+and exfiltration activities.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Purview DLP Signal"
+references = [
+    "https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Purview",
+    "Data Source: Microsoft Purview DLP",
+    "Use Case: Threat Detection",
+    "Use Case: Data Protection",
+    "Tactic: Collection",
+    "Tactic: Exfiltration",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and
+    event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"

rules_building_block/collection_microsoft_purview_insider_risk_signal.toml

@@ -0,0 +1,76 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft Purview Insider Risk Management signals including alerts, cases, scoped user insights, HR signals,
+and physical badging signals. These events indicate potential insider threats, compromised user accounts, or anomalous
+user behavior patterns detected by Microsoft's behavioral analytics. This building block rule generates security events
+for correlation, threat hunting, and telemetry collection to support detection of insider threats and account compromise.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Purview Insider Risk Signal"
+references = [
+    "https://learn.microsoft.com/en-us/purview/insider-risk-management",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "f2c43e8c-ccf2-4eab-9e9a-e335da253773"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Purview",
+    "Data Source: Microsoft Purview Insider Risk",
+    "Use Case: Threat Detection",
+    "Use Case: Insider Threat Detection",
+    "Tactic: Collection",
+    "Tactic: Exfiltration",
+    "Tactic: Impact",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and
+    event.code:(PurviewInsiderRiskCases or PurviewInsiderRiskAlerts or InsiderRiskScopedUserInsights or InsiderRiskScopedUsers or InformationWorkerProtection or HRSignal or PhysicalBadgingSignal)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"

rules_building_block/credential_access_entra_id_risk_detection_signal.toml

@@ -0,0 +1,83 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft Entra ID (formerly Azure AD) risk detection signals including risky sign-ins, compromised
+credentials, impossible travel, and other identity-based anomalies. These events indicate potential credential
+compromise, account takeover attempts, or suspicious authentication patterns detected by Microsoft's identity
+protection. This building block rule generates security events for correlation, threat hunting, and telemetry
+collection to support detection of credential access and initial access attempts.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Entra ID Risk Detection Signal"
+references = [
+    "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "cccc9be5-d8b0-466e-8a37-617eae57351a"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Protection",
+    "Use Case: Threat Detection",
+    "Use Case: Identity Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Initial Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.code:AadRiskDetection
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"

rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml

@@ -0,0 +1,83 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies administrative actions in the Microsoft 365 Security & Compliance Center including cmdlet execution, RBAC
+changes, security insights, and user permission modifications. These events can indicate legitimate administrative
+activity or potential defense evasion through security control modifications such as DLP policy removal, compliance
+rule changes, or privilege escalation. This building block rule generates security events for correlation, threat
+hunting, and telemetry collection.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Security Compliance Admin Signal"
+references = [
+    "https://learn.microsoft.com/en-us/purview/audit-log-activities",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "314557e1-a642-4dbc-af43-321bc04b6618"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Purview",
+    "Use Case: Threat Detection",
+    "Use Case: Configuration Auditing",
+    "Tactic: Defense Evasion",
+    "Tactic: Persistence",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and
+    event.code:(SecurityComplianceCenterEOPCmdlet or SecurityComplianceInsights or SecurityComplianceRBAC or SecurityComplianceUserChange)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+name = "Impair Defenses"
+reference = "https://attack.mitre.org/techniques/T1562/"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+name = "Disable or Modify Tools"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"

rules_building_block/initial_access_microsoft_air_investigation_signal.toml

@@ -0,0 +1,77 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft 365 Automated Investigation and Response (AIR) events including automated investigations,
+manual investigations, and admin-initiated actions. These events track Microsoft's automated threat response
+activities and can indicate active threats being remediated. This building block rule generates security events
+for correlation, threat hunting, and telemetry collection to provide visibility into automated response actions.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 AIR Investigation Signal"
+references = [
+    "https://learn.microsoft.com/en-us/defender-office-365/air-about",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "7ab5b02c-0026-4c71-b523-dd1e97e15477"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Defender for Office 365",
+    "Use Case: Threat Detection",
+    "Use Case: Automated Response Tracking",
+    "Tactic: Initial Access",
+    "Tactic: Execution",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and
+    event.code:(AirInvestigation or AirManualInvestigation or AirAdminActionInvestigation)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules_building_block/initial_access_microsoft_defender_alerts_signal.toml

@@ -0,0 +1,80 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft
+Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender
+Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and
+identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry
+collection to support comprehensive threat detection.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Defender Alerts Signal"
+references = [
+    "https://learn.microsoft.com/en-us/defender-endpoint/",
+    "https://learn.microsoft.com/en-us/defender-cloud-apps/",
+    "https://learn.microsoft.com/en-us/defender-for-identity/",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "054853f3-2ce0-41f3-a6eb-4a4867f39cdc"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Domain: Endpoint",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Microsoft Defender for Cloud Apps",
+    "Data Source: Microsoft Defender for Identity",
+    "Use Case: Threat Detection",
+    "Tactic: Initial Access",
+    "Tactic: Execution",
+    "Tactic: Defense Evasion",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and
+    event.code:(WDATPAlerts or MCASAlerts or MicrosoftDefenderForIdentityAudit or MS365DCustomDetection or DefenderExpertsforXDRAdmin)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml

@@ -3,14 +3,16 @@ bypass_bbr_timing = true
 creation_date = "2025/08/19"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2026/01/20"
+updated_date = "2026/02/20"
 
 [rule]
 author = ["Elastic"]
 building_block_type = "default"
 description = """
-Identifies a Microsoft 365 audit log generated for Threat Intelligence signals by Microsoft Defender for Office 365.
-Signals generated may relate to services such as Exchange Online, SharePoint Online, OneDrive for Business and others.
+Identifies Microsoft 365 audit logs generated for Threat Intelligence signals by Microsoft Defender for Office 365.
+This includes phishing and malware events, campaign-related threat detections, file-based threats in SharePoint, OneDrive,
+and Teams, as well as Microsoft Threat Intelligence Center (MSTIC) signals. These events provide early indicators of
+compromise attempts and can be correlated with other signals for threat hunting and detection.
 """
 false_positives = [
     """
@@ -22,7 +24,6 @@ from = "now-9m"
 index = ["filebeat-*", "logs-o365.audit-*"]
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 1000
 name = "M365 Threat Intelligence Signal"
 note = """## Triage and analysis
 
@@ -35,7 +36,7 @@ Microsoft 365 Threat Intelligence leverages audit logs to monitor activities acr
 
 ### Possible investigation steps
 
-- Review the audit logs filtered by event.dataset: "o365.audit" and event.provider: "ThreatIntelligence" to identify the specific activities flagged by the rule.
+- Review the audit logs filtered by event.dataset: "o365.audit" and the relevant event.code (ThreatIntelligence, ThreatFinder, ThreatIntelligenceAtpContent, or MSTIC) to identify the specific activities flagged by the rule.
 - Examine the user accounts associated with the flagged activities to determine if they have been compromised or are behaving anomalously.
 - Investigate the source IP addresses and locations associated with the flagged events to identify any unusual or suspicious access patterns.
 - Check for any related alerts or signals in Microsoft Defender for Office 365 that might provide additional context or corroborate the threat.
@@ -78,9 +79,11 @@ tags = [
     "Data Source: Microsoft 365",
     "Data Source: Microsoft 365 Audit Logs",
     "Data Source: Microsoft Defender",
-    "Data Source: Microsoft Defender Threat Intelligence",
+    "Data Source: Microsoft Defender for Office 365",
+    "Data Source: Microsoft Threat Intelligence",
     "Use Case: Threat Detection",
     "Tactic: Initial Access",
+    "Tactic: Execution",
     "Resources: Investigation Guide",
     "Rule Type: BBR",
 ]
@@ -88,7 +91,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset: "o365.audit" and event.provider: "ThreatIntelligence"
+event.dataset: "o365.audit" and
+    event.code:(ThreatIntelligence or ThreatFinder or ThreatIntelligenceAtpContent or ThreatIntelligenceUrl or MSTIC or Campaign)
 '''
 
 
@@ -104,4 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1566/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1204"
+name = "User Execution"
+reference = "https://attack.mitre.org/techniques/T1204/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
 

rules_building_block/initial_access_microsoft_purview_security_compliance_signal.toml

@@ -0,0 +1,93 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/04"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Collects alerts generated by Microsoft Purview (formerly Office 365 Security & Compliance Center) through the
+SecurityComplianceCenter provider. These alerts represent policy violations, compliance issues, and threats detected by
+Microsoft Purview's built-in detection capabilities including DLP policy matches, eDiscovery actions, retention policy
+violations, and other compliance-related events. This building block rule generates security events for correlation,
+threat hunting, and telemetry collection without creating standalone alerts, reducing alert fatigue while maintaining
+comprehensive visibility into Microsoft Purview's compliance and security detections.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Purview Security Compliance Signal"
+references = [
+    "https://learn.microsoft.com/en-us/purview/audit-log-activities",
+    "https://learn.microsoft.com/en-us/purview/audit-solutions-overview",
+]
+risk_score = 21
+rule_id = "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Purview",
+    "Use Case: Threat Detection",
+    "Use Case: Compliance Monitoring",
+    "Tactic: Initial Access",
+    "Tactic: Credential Access",
+    "Tactic: Collection",
+    "Tactic: Exfiltration",
+    "Tactic: Impact",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.code:SecurityComplianceAlerts
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+

rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml

@@ -0,0 +1,64 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2026/02/20"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2026/02/20"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Identifies Microsoft 365 email quarantine, hygiene, and mail submission events. These signals indicate blocked threats,
+spam filtering actions, and user-reported suspicious emails. While these represent blocked or mitigated threats, they
+provide valuable telemetry for understanding attempted attacks and attack patterns. This building block rule generates
+security events for correlation, threat hunting, and telemetry collection.
+"""
+from = "now-9m"
+index = ["logs-o365.audit-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "M365 Quarantine and Hygiene Signal"
+references = [
+    "https://learn.microsoft.com/en-us/defender-office-365/quarantine-about",
+    "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about",
+    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
+]
+risk_score = 21
+rule_id = "4bae6c34-57be-403a-a556-e48f9ecef0b7"
+setup = """### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Domain: SaaS",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Data Source: Microsoft Defender for Office 365",
+    "Use Case: Threat Detection",
+    "Use Case: Blocked Threat Tracking",
+    "Tactic: Initial Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.code:(Quarantine or HygieneEvent or MailSubmission)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1566"
+name = "Phishing"
+reference = "https://attack.mitre.org/techniques/T1566/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"