M365 Purview Security Compliance Signal
editM365 Purview Security Compliance Signal
editCollects alerts generated by Microsoft Purview (formerly Office 365 Security & Compliance Center) through the SecurityComplianceCenter provider. These alerts represent policy violations, compliance issues, and threats detected by Microsoft Purview’s built-in detection capabilities including DLP policy matches, eDiscovery actions, retention policy violations, and other compliance-related events. This building block rule generates security events for correlation, threat hunting, and telemetry collection without creating standalone alerts, reducing alert fatigue while maintaining comprehensive visibility into Microsoft Purview’s compliance and security detections.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Purview
- Use Case: Threat Detection
- Use Case: Compliance Monitoring
- Tactic: Initial Access
- Tactic: Credential Access
- Tactic: Collection
- Tactic: Exfiltration
- Tactic: Impact
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editAdditional notes
For information on troubleshooting the maximum alerts warning please refer to this guide.
Rule query
editevent.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.code:SecurityComplianceAlerts
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/