The detection rule "O365 Email Transport Rule Changed" identifies modifications to the Exchange Online mail flow/transport rule configurations by users with elevated permissions. This activity is crucial to monitor since attackers often exploit transport rules to manipulate or delete emails, potentially hiding malicious activities or exfiltrating sensitive data. The rule utilizes the Office 365 Universal Audit Log, specifically targeting operations related to creating, modifying, disabling or removing transport rules. Detected alterations are logged with timestamps and associated user details, and both the object name and ID of the affected transport rules are captured for further investigation. The implementation requires setting up the Splunk Microsoft Office 365 Add-on to capture Office 365 management activity events. This rule is integral for maintaining visibility into potential insider threats or compromised accounts within an organization's email system.