LoFP
/
T1562.008
T1562.008
Title
Tags
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
t1562
T1562.008
o365 tenant
splunk
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
t1562
T1562.008
aws account
splunk