M365 Security Compliance Admin Signal
editM365 Security Compliance Admin Signal
editIdentifies administrative actions in the Microsoft 365 Security & Compliance Center including cmdlet execution, RBAC changes, security insights, and user permission modifications. These events can indicate legitimate administrative activity or potential defense evasion through security control modifications such as DLP policy removal, compliance rule changes, or privilege escalation. This building block rule generates security events for correlation, threat hunting, and telemetry collection.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Purview
- Use Case: Threat Detection
- Use Case: Configuration Auditing
- Tactic: Defense Evasion
- Tactic: Persistence
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editAdditional notes
For information on troubleshooting the maximum alerts warning please refer to this guide.
Rule query
editevent.dataset:o365.audit and
event.code:(SecurityComplianceCenterEOPCmdlet or SecurityComplianceInsights or SecurityComplianceRBAC or SecurityComplianceUserChange)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/