a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1562
o365
elastic

Techniques

T1562

Sample rules

Deprecated - M365 Exchange DLP Policy Deleted

source: elastic
technicques:
- T1562

Description

Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success