M365 Purview Insider Risk Signal

Last updated 12 days ago on 2026-02-20

Created 12 days ago on 2026-02-20

About

Identifies Microsoft Purview Insider Risk Management signals including alerts, cases, scoped user insights, HR signals, and physical badging signals. These events indicate potential insider threats, compromised user accounts, or anomalous user behavior patterns detected by Microsoft's behavioral analytics. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of insider threats and account compromise.

Tags

Domain: CloudDomain: SaaSData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsData Source: Microsoft PurviewData Source: Microsoft Purview Insider RiskUse Case: Threat DetectionUse Case: Insider Threat DetectionTactic: CollectionTactic: ExfiltrationTactic: ImpactRule Type: BBRLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Collection (TA0009)(external, opens in a new tab or window)

Exfiltration (TA0010)(external, opens in a new tab or window)

Impact (TA0040)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-o365.audit-*filebeat-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:o365.audit and
    event.code:(PurviewInsiderRiskCases or PurviewInsiderRiskAlerts or InsiderRiskScopedUserInsights or InsiderRiskScopedUsers or InformationWorkerProtection or HRSignal or PhysicalBadgingSignal)

Install detection rules in Elastic Security

Detect M365 Purview Insider Risk Signal in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).