O365 DLP Rule Triggered

Original Source: [splunk source]
Name:O365 DLP Rule Triggered
id:63a8a537-36fd-4aac-a3ea-1a96afd2c871
version:6
date:2025-03-25
author:Steven Dick
status:production
type:Anomaly
Description:The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to de termine what, if any, security relevance the underlying DLP events contain.
Data_source:
  • -Office 365 Universal Audit Log
search:`o365_management_activity` Operation=DLPRuleMatch
| eval recipient = 'ExchangeMetaData.To{}', signature_id = 'ExchangeMetaData.UniqueID', signature = 'PolicyDetails{}.Rules{}.RuleName' , src_user = UserId, reason ='PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName', result='PolicyDetails{}.Rules{}.Actions{}', file_name=case(NOT match('PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location',"Message Body"),'PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location')
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) as app values(result) as result by action dest user src vendor_account vendor_product src_user recipient signature_id reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_dlp_rule_triggered_filter`


how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy DLP rules through O365 security and compliance functions.
known_false_positives:WIll depending on accuracy of DLP rules, these can be noisy so tune appropriately.
References:
  -https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp
drilldown_searches:
name:'View the detection results for - "$user$"'
search:'%original_detection_search% | search user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Data Exfiltration'
  asset_type:O365 Tenant
  mitre_attack_id:
    - 'T1048'
    - 'T1567'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:threat

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log
  sourcetype: o365:management:activity
  source: o365
manual_test:None

Related Analytic Stories


Data Exfiltration