
Summary
This detection rule identifies the removal of a Data Loss Prevention (DLP) policy in Microsoft 365 Exchange, which may indicate malicious behavior aiming to evade DLP monitoring. Adversaries could remove DLP policies to facilitate unauthorized data exfiltration by bypassing controls designed to protect sensitive information. The rule analyzes audit logs to detect events that signify successful DLP policy removals, specifically focusing on actions labeled "Remove-DlpPolicy" with a successful outcome. The rule complements existing security measures by alerting security teams when such potentially malicious configuration changes occur. To ensure the integrity of the DLP policy management process, false positives are acknowledged when routine administrative changes happen, necessitating a verification process against authorized personnel and periodic maintenance schedules. The investigation guide provides steps to verify legitimacy, analyze user activity, and respond to incidents effectively.
Categories
- Cloud
- Identity Management
- Endpoint
Data Sources
- User Account
- Application Log
- Cloud Service
ATT&CK Techniques
- T1562
Created: 2020-11-20