M365 Defender Alerts Signal

Last updated 12 days ago on 2026-02-20

Created 12 days ago on 2026-02-20

About

Identifies alerts generated by Microsoft Defender products including Windows Defender for Endpoint (WDATP), Microsoft Cloud App Security (MCAS), Microsoft Defender for Identity, Microsoft 365 Defender custom detections, and Defender Experts for XDR. These cross-platform alerts indicate detected threats across endpoints, cloud applications, and identity systems. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support comprehensive threat detection.

Tags

Domain: CloudDomain: SaaSDomain: EndpointData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft Defender for EndpointData Source: Microsoft Defender for Cloud AppsData Source: Microsoft Defender for IdentityUse Case: Threat DetectionTactic: Initial AccessTactic: ExecutionTactic: Defense EvasionRule Type: BBRLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-o365.audit-*filebeat-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:o365.audit and
    event.code:(WDATPAlerts or MCASAlerts or MicrosoftDefenderForIdentityAudit or MS365DCustomDetection or DefenderExpertsforXDRAdmin)

Install detection rules in Elastic Security

Detect M365 Defender Alerts Signal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).