Link Search Menu Expand Document

SCC_Insider_Risk_Management

ID: 100422

Description:

Security Compliance Center Insider Risk Management

Repository: Group: Office365ES Type: event

Default Status:

Enabled

Tags:    
SCC SecurityComplianceCenter O365
     

Selector:

Query:

Filters:

Field MUST hit
event.provider Audit.General
o365.audit.Workload SecurityComplianceCenter
o365.audit.Category InsiderRiskManagement
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
o365.audit.InsightData.Details.Name username application activity

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
Category o365.audit.Category
Operation o365.audit.Operation
InsightValue o365.audit.AdditionalData.Value
InsightDescription o365.audit.Description
Username o365.audit.InsightData.Details.Name
RecordType o365.audit.RecordType
UserType o365.audit.UserType
Severity o365.audit.Severity

Correlation Rules:

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)