« M365 OneDrive/SharePoint Excessive File Downloads M365 Purview Insider Risk Signal »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

M365 Purview DLP Signal

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

M365 Purview DLP Signal

edit

Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts, policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of collection and exfiltration activities.

Rule type: query

Rule indices:

  • logs-o365.audit-*
  • filebeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Data Source: Microsoft 365
  • Data Source: Microsoft 365 Audit Logs
  • Data Source: Microsoft Purview
  • Data Source: Microsoft Purview DLP
  • Use Case: Threat Detection
  • Use Case: Data Protection
  • Tactic: Collection
  • Tactic: Exfiltration
  • Rule Type: BBR

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Rule query

edit
event.dataset:o365.audit and
    event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)

Framework: MITRE ATT&CKTM

« M365 OneDrive/SharePoint Excessive File Downloads M365 Purview Insider Risk Signal »