Techniques
Sample rules
O365 DLP Rule Triggered
- source: splunk
- technicques:
- T1048
- T1567
Description
The following analytic detects when Microsoft Office 365 Data Loss Prevention (DLP) rules have been triggered. DLP rules can be configured for any number of security, regulatory, or business compliance reasons, as such this analytic will only be as accurate as the upstream DLP configuration. Detections from this analytic should be evaluated thoroughly to determine what, if any, security relevance the underlying DLP events contain.
Detection logic
`o365_management_activity` Operation=DLPRuleMatch
| eval recipient = 'ExchangeMetaData.To{}', signature_id = 'ExchangeMetaData.UniqueID', signature = 'PolicyDetails{}.Rules{}.RuleName' , src_user = UserId, reason ='PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.SensitiveInformationTypeName', result='PolicyDetails{}.Rules{}.Actions{}', file_name=case(NOT match('PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location',"Message Body"),'PolicyDetails{}.Rules{}.ConditionsMatched.SensitiveInformation{}.Location')
| stats min(_time) as firstTime max(_time) as lastTime values(signature) as signature values(file_name) as file_name values(ExchangeMetaData.Subject) AS subject values(Workload) as app values(result) as result by src_user,recipient,signature_id,reason
| `o365_dlp_rule_triggered_filter`
| stats count min(firstTime) as firstTime max(lastTime) as lastTime values(*) AS * by src_user,signature_id
| eval action = CASE(match(result,"Halt"),"blocked",isnotnull(result),"alert",true(),"allow")
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`