Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy.
An adversary may use this technique to evade detection or avoid other policy based defenses.
MITRE ATT&CK Tactics
Approved operational change.
1. Investigate via Azure Sentinel any other actions completed by the affected account within your network.
2. Review internal change management records for any approved changes related to this action.