a dlp policy may be removed by a system or network administrator. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1562
o365
elastic

Techniques

T1562

Sample rules

Microsoft 365 Exchange DLP Policy Removed

source: elastic
technicques:
- T1562

Description

Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.

Detection logic

event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success