This detection rule identifies when a transport rule in Microsoft 365 Exchange has been disabled or deleted, which can indicate malicious activity by an insider or an external attacker. Transport rules are essential for managing the flow of emails, and unauthorized modifications can facilitate data exfiltration. The rule queries audit logs specifically for successful executions of commands like 'Remove-TransportRule' or 'Disable-TransportRule', which are critical actions indicating the potential abuse of admin privileges. When these events are detected, they should be promptly investigated to determine if the actions were legitimate or signs of an ongoing security breach. False positives may arise from routine administrative changes, maintenance, or automated scripts; thus, an understanding of the organizational context is important for effective analysis. The findings from the audit logs should inform immediate responses, including potential account disabling and rule restoration, as well as coordinated actions with security and compliance teams to manage any related risks.