Microsoft 365 Exchange DLP Policy Removed

 1[metadata]
 2creation_date = "2020/11/20"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to
13evade existing DLP monitoring.
14"""
15false_positives = [
16    """
17    A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected.
18    Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Exchange DLP Policy Removed"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps",
31    "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide",
32]
33risk_score = 47
34rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1562"
49name = "Impair Defenses"
50reference = "https://attack.mitre.org/techniques/T1562/"
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"