Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0005 ✕ technique: T1671 ✕

Show ATT&CK heatmap
  • Microsoft Teams application setup policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams the application setup policy, which is responsible for application management, was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Persistence (TA0003)
    ATT&CK techniques: Impair Defenses (T1562) Cloud Application Integration (T1671)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

    Variations

    A user changed the Microsoft Teams application setup policy for the first time

    Low overridden

    Microsoft Teams the application setup policy, which is responsible for application management, was modified. overridden