The 'Slack Legal Hold Policy Modified' detection rule monitors modifications to legal hold policies within Slack workspaces. The rule is particularly focused on actions that could potentially compromise the integrity of legal holds, which are critical for compliance and eDiscovery purposes. By tracking specific actions such as the deletion, addition of exclusions, releasing, and updating policies, the rule aims to detect unauthorized changes that could impair defenses against data loss or corruption in legal contexts. Each detected action is logged, containing details of the actor, the IP address from which the action was performed, and contextual information like the user agent. An expected result for actions related to legal holds is set to true, while user logout actions are tracked and expected to yield false under normal circumstances, flagging them for further investigation if they occur amidst ongoing policy changes. The detection strategy employs security best practices aligned with MITRE ATT&CK framework under TA0005:T1562.001, focusing on defense evasion tactics.