Purview Rules
6 detection rules in this category.
| Rule | Severity | MITRE | Source |
|---|---|---|---|
| Audit logging config changed | Critical | T1562.008 | AuditLog |
| DLP policy deleted | Critical | T1562.001 | AuditLog |
| DLP policy disabled | High | T1562.001 | AuditLog |
| eDiscovery case created | High | T1567 | AuditLog |
| eDiscovery role member added | High | T1078.004 | AuditLog |
| eDiscovery search exported | Critical | T1213 | AuditLog |
Audit logging config changed
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1562.008 (Defense Evasion) |
Audit log configuration changed - possible tampering
Conditions
- Match: all
OperationEqualsSet-AdminAuditLogConfig
DLP policy deleted
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1562.001 (Defense Evasion) |
{{UserId}} deleted a DLP policy - data protection removed
Conditions
- Match: all
OperationEqualsRemove-DlpCompliancePolicy
DLP policy disabled
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1562.001 (Defense Evasion) |
{{UserId}} disabled DLP policy '{{ObjectId}}'
Conditions
- Match: all
OperationEqualsSet-DlpCompliancePolicyParametersContains-Mode "Test
eDiscovery case created
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1567 (Exfiltration) |
{{UserId}} created eDiscovery case '{{ObjectId}}'
Conditions
- Match: any
OperationEqualsCaseAddedOperationEqualsNew-ComplianceCase
eDiscovery role member added
| Property | Value |
|---|---|
| Severity | 🟠 High |
| Source | AuditLog |
| MITRE | T1078.004 (Privilege Escalation) |
{{UserId}} added a member to an eDiscovery role group
Conditions
- Match: all
OperationEqualsUpdate-RoleGroupMemberParametersContainseDiscovery
eDiscovery search exported
| Property | Value |
|---|---|
| Severity | 🔴 Critical |
| Source | AuditLog |
| MITRE | T1213 (Collection) |
{{UserId}} started export of eDiscovery case '{{CaseName}}'
Conditions
- Match: any
OperationEqualsPurviewSearchExportJobSubmittedOperationEqualsNew-ComplianceSearchAction