Purview Rules

6 detection rules in this category.

Rule	Severity	MITRE	Source
Audit logging config changed	Critical	T1562.008	AuditLog
DLP policy deleted	Critical	T1562.001	AuditLog
DLP policy disabled	High	T1562.001	AuditLog
eDiscovery case created	High	T1567	AuditLog
eDiscovery role member added	High	T1078.004	AuditLog
eDiscovery search exported	Critical	T1213	AuditLog

Audit logging config changed

Property	Value
Severity	🔴 Critical
Source	AuditLog
MITRE	T1562.008 (Defense Evasion)

Audit log configuration changed - possible tampering

Conditions

Match: all
Operation Equals Set-AdminAuditLogConfig

DLP policy deleted

Property	Value
Severity	🔴 Critical
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} deleted a DLP policy - data protection removed

Conditions

Match: all
Operation Equals Remove-DlpCompliancePolicy

DLP policy disabled

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1562.001 (Defense Evasion)

{⁠{UserId}⁠} disabled DLP policy '{⁠{ObjectId}⁠}'

Conditions

Match: all
Operation Equals Set-DlpCompliancePolicy
Parameters Contains -Mode "Test

eDiscovery case created

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1567 (Exfiltration)

{⁠{UserId}⁠} created eDiscovery case '{⁠{ObjectId}⁠}'

Conditions

Match: any
Operation Equals CaseAdded
Operation Equals New-ComplianceCase

eDiscovery role member added

Property	Value
Severity	🟠 High
Source	AuditLog
MITRE	T1078.004 (Privilege Escalation)

{⁠{UserId}⁠} added a member to an eDiscovery role group

Conditions

Match: all
Operation Equals Update-RoleGroupMember
Parameters Contains eDiscovery

eDiscovery search exported

Property	Value
Severity	🔴 Critical
Source	AuditLog
MITRE	T1213 (Collection)

{⁠{UserId}⁠} started export of eDiscovery case '{⁠{CaseName}⁠}'

Conditions

Match: any
Operation Equals PurviewSearchExportJobSubmitted
Operation Equals New-ComplianceSearchAction