Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft 365 |
| ID | fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Persistence, DefenseEvasion |
| Techniques | T1098, T1562 |
| Required Connectors | Office365 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
OfficeActivity |
RecordType == "ExchangeAdmin" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊