Mika Ayenson, PhD
8993d1450b
--------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
96 lines
3.0 KiB
TOML
96 lines
3.0 KiB
TOML
[metadata]
|
|
bypass_bbr_timing = true
|
|
creation_date = "2026/02/20"
|
|
integration = ["o365"]
|
|
maturity = "production"
|
|
updated_date = "2026/03/24"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
building_block_type = "default"
|
|
description = """
|
|
Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview
|
|
across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts,
|
|
policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule
|
|
generates security events for correlation, threat hunting, and telemetry collection to support detection of collection
|
|
and exfiltration activities.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-o365.audit-*", "filebeat-*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "M365 Purview DLP Signal"
|
|
references = [
|
|
"https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp",
|
|
"https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f"
|
|
setup = """### Additional notes
|
|
|
|
For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
|
|
"""
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Cloud",
|
|
"Domain: SaaS",
|
|
"Data Source: Microsoft 365",
|
|
"Data Source: Microsoft 365 Audit Logs",
|
|
"Data Source: Microsoft Purview",
|
|
"Data Source: Microsoft Purview DLP",
|
|
"Use Case: Threat Detection",
|
|
"Use Case: Data Protection",
|
|
"Tactic: Collection",
|
|
"Tactic: Exfiltration",
|
|
"Rule Type: BBR",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:o365.audit and
|
|
event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1005"
|
|
name = "Data from Local System"
|
|
reference = "https://attack.mitre.org/techniques/T1005/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1114"
|
|
name = "Email Collection"
|
|
reference = "https://attack.mitre.org/techniques/T1114/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1530"
|
|
name = "Data from Cloud Storage"
|
|
reference = "https://attack.mitre.org/techniques/T1530/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0009"
|
|
name = "Collection"
|
|
reference = "https://attack.mitre.org/tactics/TA0009/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1567"
|
|
name = "Exfiltration Over Web Service"
|
|
reference = "https://attack.mitre.org/techniques/T1567/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1567.002"
|
|
name = "Exfiltration to Cloud Storage"
|
|
reference = "https://attack.mitre.org/techniques/T1567/002/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0010"
|
|
name = "Exfiltration"
|
|
reference = "https://attack.mitre.org/tactics/TA0010/"
|