This rule detects when a SharePoint or OneDrive sharing policy is changed to weaken security controls by monitoring o365.audit SharingPolicyChanged events with a successful outcome. It inspects ModifiedProperties to identify transitions where access would be relaxed, focusing on these settings: ShareWithGuests (guest/external sharing), ShareUsingAnonymousLinks (anonymous/Anyone links), IsPublic (site visibility), AllowGuestUser (guest access), AllowFederatedUsers (external/federated access), and AllowTeamsConsumer (consumer Teams accounts). A match occurs when a NewValue indicates Enabled/True and the corresponding OldValue indicates Disabled/False. Because Microsoft’s auditing data can encode values as True/False or Enabled/Disabled, the rule accounts for both formats. These transitions represent potential defense evasion and may enable data exfiltration or a persistent external access path if performed by an attacker or a compromised admin. The rule’s queries align with MITRE ATT&CK Defense Evasion (T1562) and its subtechniques, and it references Microsoft Purview audit documentation for site administration and sharing. Investigation guidance recommends correlating the actor via user.id, verifying legitimate admin or service principal usage, and examining affected objects via o365.audit.ObjectId (site URL). Post-change activity such as SharingSet, AnonymousLinkCreated, or SharingInvitationCreated should be reviewed to assess impact. Remediation steps include reverting the policy to a restrictive state, revoking sessions, auditing related sites, and implementing stronger controls (Conditional Access, Privileged Identity Management) to prevent future unauthorized changes.