« M365 AIR Investigation Signal M365 Entra ID Risk Detection Signal »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

M365 Defender Alerts Signal

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

M365 Defender Alerts Signal

edit

Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support comprehensive threat detection.

Rule type: query

Rule indices:

  • logs-o365.audit-*
  • filebeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Domain: Endpoint
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Data Source: Microsoft Defender for Endpoint
  • Data Source: Microsoft Defender for Cloud Apps
  • Data Source: Microsoft Defender for Identity
  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Tactic: Execution
  • Tactic: Defense Evasion
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Rule query

edit
event.dataset:o365.audit and
    event.code:(WDATPAlerts or MCASAlerts or MicrosoftDefenderForIdentityAudit or MS365DCustomDetection or DefenderExpertsforXDRAdmin)

Framework: MITRE ATT&CKTM

« M365 AIR Investigation Signal M365 Entra ID Risk Detection Signal »