Managed Sentinel – Alert 134
|Alert Name||Office 365 policy tampering|
|Description||Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. |
An adversary may use this technique to evade detection or avoid other policy based defenses.
|Threat Indicator||Improper Usage|
|MITRE ATT&CK Tactics||Persistence|
|Log sources||Office 365|
|False Positive||Approved operational change.|
|Recommendations||1. Investigate via Azure Sentinel any other actions completed by the affected account within your network.|
2. Review internal change management records for any approved changes related to this action.