The 'O365 Cross-Tenant Access Change' detection rule monitors changes to cross-tenant access and synchronization policies within Azure Active Directory. Such modifications can be indicative of unauthorized lateral movement or persistent access by adversaries exploiting these configurations. By identifying when these settings are altered, organizations can rapidly respond to potential security threats. This analytic uses the Office 365 Universal Audit Log to search for specific operations related to cross-tenant access, capturing the user who made changes, the source IP address, and the modified properties. The implementation necessitates the installation of the Splunk Microsoft Office 365 Add-on, ensuring that these management activity events are properly ingested. Known false positives typically arise from legitimate changes made by approved administrators, highlighting the importance of context in monitoring these sensitive policies.