M365 Purview Insider Risk Signal
editM365 Purview Insider Risk Signal
editIdentifies Microsoft Purview Insider Risk Management signals including alerts, cases, scoped user insights, HR signals, and physical badging signals. These events indicate potential insider threats, compromised user accounts, or anomalous user behavior patterns detected by Microsoft’s behavioral analytics. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of insider threats and account compromise.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Purview
- Data Source: Microsoft Purview Insider Risk
- Use Case: Threat Detection
- Use Case: Insider Threat Detection
- Tactic: Collection
- Tactic: Exfiltration
- Tactic: Impact
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editAdditional notes
For information on troubleshooting the maximum alerts warning please refer to this guide.
Rule query
editevent.dataset:o365.audit and
event.code:(PurviewInsiderRiskCases or PurviewInsiderRiskAlerts or InsiderRiskScopedUserInsights or InsiderRiskScopedUsers or InformationWorkerProtection or HRSignal or PhysicalBadgingSignal)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/