Managed Sentinel – Alert 134

Alert IDMS-A134
Alert NameOffice 365 policy tampering
DescriptionIdentifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
An adversary may use this technique to evade detection or avoid other policy based defenses.
References: https://docs.microsoft.com/en-us/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsPersistence
Credential Access
Log sourcesOffice 365
False PositiveApproved operational change.
Recommendations1. Investigate via Azure Sentinel any other actions completed by the affected account within your network.
2. Review internal change management records for any approved changes related to this action.