M365 Security Compliance Admin Signal

Last updated 12 days ago on 2026-02-20

Created 12 days ago on 2026-02-20

About

Identifies administrative actions in the Microsoft 365 Security & Compliance Center including cmdlet execution, RBAC changes, security insights, and user permission modifications. These events can indicate legitimate administrative activity or potential defense evasion through security control modifications such as DLP policy removal, compliance rule changes, or privilege escalation. This building block rule generates security events for correlation, threat hunting, and telemetry collection.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft PurviewUse Case: Threat DetectionUse Case: Configuration AuditingTactic: Defense EvasionTactic: PersistenceRule Type: BBRLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

↳ Impair Defenses (T1562)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-o365.audit-*filebeat-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:o365.audit and
    event.code:(SecurityComplianceCenterEOPCmdlet or SecurityComplianceInsights or SecurityComplianceRBAC or SecurityComplianceUserChange)

Install detection rules in Elastic Security

Detect M365 Security Compliance Admin Signal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).