detection.wiki

Detection rules › Elastic

M365 Purview DLP Signal

Status
production
Kind
building block (feeds higher-level correlation rules; not a standalone alert)
Severity
low
Time window
9m
Author
Elastic
Source
github.com/elastic/detection-rules

Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts, policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of collection and exfiltration activities.

MITRE ATT&CK coverage

TacticTechniques
CollectionT1005 Data from Local System, T1114 Email Collection, T1530 Data from Cloud Storage
ExfiltrationT1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Event coverage

ProviderEventTitle
M365-ComplianceDLMExchange_catch_allData lifecycle management events in Exchange (catch-all)
M365-ComplianceDLMSharePoint_catch_allData lifecycle management events in SharePoint (catch-all)
M365-ComplianceDLPExchange_catch_allDLP policy matches in Exchange (catch-all)
M365-ComplianceDLPExchangeClassification_catch_allDLP Exchange classification events (catch-all)
M365-ComplianceDLPSharePoint_catch_allDLP policy matches in SharePoint (catch-all)
M365-ComplianceDLPSharePointClassification_catch_allDLP SharePoint classification events (catch-all)
M365-DLPEndpoint_catch_allEndpoint DLP policy events (catch-all)

Rule body elastic

[metadata]
bypass_bbr_timing = true
creation_date = "2026/02/20"
integration = ["o365"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies Microsoft 365 Data Loss Prevention (DLP) and Data Lifecycle Management (DLM) signals from Microsoft Purview
across Exchange, SharePoint, OneDrive, and endpoint devices. These events indicate potential data exfiltration attempts,
policy violations involving sensitive data, or unauthorized sharing of classified information. This building block rule
generates security events for correlation, threat hunting, and telemetry collection to support detection of collection
and exfiltration activities.
"""
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Purview DLP Signal"
references = [
    "https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp",
    "https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
]
risk_score = 21
rule_id = "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f"
setup = """### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = [
    "Domain: Cloud",
    "Domain: SaaS",
    "Data Source: Microsoft 365",
    "Data Source: Microsoft 365 Audit Logs",
    "Data Source: Microsoft Purview",
    "Data Source: Microsoft Purview DLP",
    "Use Case: Threat Detection",
    "Use Case: Data Protection",
    "Tactic: Collection",
    "Tactic: Exfiltration",
    "Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:o365.audit and
    event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"

[[rule.threat.technique]]
id = "T1114"
name = "Email Collection"
reference = "https://attack.mitre.org/techniques/T1114/"

[[rule.threat.technique]]
id = "T1530"
name = "Data from Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1530/"

[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"

[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"

[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"

Stages and Predicates

Stage 1: query

event.dataset:o365.audit and
    event.code:(ComplianceDLPSharePoint or ComplianceDLPExchange or ComplianceDLPSharePointClassification or DLPEndpoint or ComplianceDLPExchangeClassification or ComplianceDLMExchange or ComplianceDLMSharePoint)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
event.codein
  • ComplianceDLMExchange
  • ComplianceDLMSharePoint
  • ComplianceDLPExchange
  • ComplianceDLPExchangeClassification
  • ComplianceDLPSharePoint
  • ComplianceDLPSharePointClassification
  • DLPEndpoint
event.dataseteq
  • o365.audit