Query Details
RULE 12 M365 DLP Policy Override Abuse
Query
// Rule : M365 - DLP Policy Override by User (Justification Abuse)
// Severity: Medium
// Tactics : DefenseEvasion, Exfiltration
// MITRE : T1222 (File and Directory Permissions Modification), T1537
// Freq : PT1H Period: PT1H
// Description: Detects users who override DLP block actions with justifications.
// Repeated overrides — especially for high-sensitivity data types —
// may indicate intentional exfiltration or policy-awareness abuse.
//==========================================================================================
let OverrideThreshold = 3; // overrides per user per hour
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in (
"ComplianceDLPExchange", "ComplianceDLPSharePoint",
"ComplianceDLPSharePointClassification")
| extend
PolicyName = tostring(parse_json(PolicyDetails)[0].PolicyName),
RuleName = tostring(parse_json(PolicyDetails)[0].Rules[0].RuleName),
OverrideAction = tostring(parse_json(PolicyDetails)[0].Rules[0].Actions),
Justification = tostring(parse_json(PolicyDetails)[0].Rules[0].OverrideJustification),
SensitiveInfoTypes = tostring(parse_json(PolicyDetails)[0].Rules[0].ConditionsMatched.SensitiveInformation)
| where OverrideAction has "Override"
or Justification != ""
| summarize
OverrideCount = count(),
Policies = make_set(PolicyName, 10),
Rules = make_set(RuleName, 10),
Justifications = make_set(Justification, 5),
SensitiveTypes = make_set(SensitiveInfoTypes, 5),
ObjectIds = make_set(ObjectId, 10),
ClientIPs = make_set(ClientIP, 5)
by UserId
| where OverrideCount >= OverrideThreshold
| extend AlertSeverity = case(
OverrideCount >= 10, "High",
OverrideCount >= 5, "Medium",
"Low")
| project
TimeGenerated = now(),
UserId,
OverrideCount,
Policies,
Justifications,
SensitiveTypes,
ObjectIds,
ClientIPs,
AlertSeverity
Explanation
This query is designed to detect and alert on users who frequently override Data Loss Prevention (DLP) policies in Microsoft 365. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies users who repeatedly bypass DLP block actions by providing justifications, which might suggest intentional data exfiltration or misuse of policy awareness.
-
Threshold: The query looks for users who have overridden DLP policies at least 3 times within the past hour.
-
Data Source: It examines activities from Microsoft 365 services like Exchange and SharePoint, focusing on DLP-related records.
-
Data Extraction: For each activity, it extracts details such as the policy name, rule name, override action, justification provided, and types of sensitive information involved.
-
Filtering: It filters records where an override action occurred or a justification was provided.
-
Aggregation: It counts the number of overrides per user and compiles lists of related policies, rules, justifications, sensitive information types, object IDs, and client IPs.
-
Severity Assessment: Based on the number of overrides, it assigns a severity level to the alert:
- High: 10 or more overrides
- Medium: 5 to 9 overrides
- Low: Less than 5 overrides
-
Output: The query outputs a summary for each user who meets the override threshold, including the current time, user ID, number of overrides, associated policies, justifications, sensitive information types, object IDs, client IPs, and the alert severity.
In essence, this query helps identify potential security risks by flagging users who frequently bypass DLP measures, allowing for further investigation or action.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators