Microsoft 365 Exchange DLP Policy Removed
Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/20"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to
11evade existing DLP monitoring.
12"""
13false_positives = [
14 """
15 A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected.
16 Exceptions can be added to this rule to filter expected behavior.
17 """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange DLP Policy Removed"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28 "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
29 "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide",
30]
31risk_score = 47
32rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: Microsoft 365",
37 "Use Case: Configuration Audit",
38 "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
Learn how to protect your sensitive information using Microsoft Purview Data Loss Prevention policies and tools and take a tour through the DLP lifecycle.
Read More
Related rules
- Microsoft 365 Exchange Malware Filter Policy Deletion
- Microsoft 365 Exchange Malware Filter Rule Modification
- Microsoft 365 Exchange Safe Attachment Rule Disabled
- Azure Alert Suppression Rule Created or Modified
- Azure Automation Runbook Deleted