Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0005 ✕ technique: T1048 ✕
Show ATT&CK heatmapMicrosoft Teams external communication policy was modified Informational Identity Threat Module 1 variation
Microsoft Teams external communication policy was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)Required data: Office 365 AuditDetector tags: Microsoft TeamsAttacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.Variations
Microsoft Teams external communication policy was modified by an unusual user
Low overridden
Microsoft Teams external communication policy was modified. overridden