Managed Sentinel – Alert 134
| Alert ID | MS-A134 |
| Alert Name | Office 365 policy tampering |
| Description | Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps. |
| Severity Level | Medium |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Persistence Credential Access |
| Log sources | Office 365 |
| False Positive | Approved operational change. |
| Recommendations | 1. Investigate via Azure Sentinel any other actions completed by the affected account within your network. 2. Review internal change management records for any approved changes related to this action. |