Name:O365 DLP Rule Triggered id:63a8a537-36fd-4aac-a3ea-1a96afd2c871 version:6 date:2025-03-25 author:Steven Dick status:production type:Anomaly Description:The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to de termine what, if any, security relevance the underlying DLP events contain. Data_source:
-Office 365 Universal Audit Log
search:`o365_management_activity` Operation=DLPRuleMatch | eval recipient = 'ExchangeMetaData.To{}', signature_id = 'ExchangeMetaData.UniqueID', signature = 'PolicyDetails{}.Rules{}.RuleName' , src_user = UserId, reason ='PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName', result='PolicyDetails{}.Rules{}.Actions{}', file_name=case(NOT match('PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location',"Message Body"),'PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location') | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) as app values(result) as result by action dest user src vendor_account vendor_product src_user recipient signature_id reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_dlp_rule_triggered_filter`
how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy DLP rules through O365 security and compliance functions. known_false_positives:WIll depending on accuracy of DLP rules, these can be noisy so tune appropriately. References: -https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Exfiltration' asset_type:O365 Tenant mitre_attack_id: - 'T1048' - 'T1567' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat