Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0010 ✕ technique: T1562 ✕

Show ATT&CK heatmap
  • Microsoft Teams external communication policy was modified Informational Identity Threat Module 1 variation

    Microsoft Teams external communication policy was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Defense Evasion (TA0005) Exfiltration (TA0010)
    ATT&CK techniques: Impair Defenses (T1562) Exfiltration Over Alternative Protocol (T1048)
    Required data: Office 365 Audit
    Detector tags: Microsoft Teams
    Attacker's goals: Attackers may modify the external communication policy to enable data exfiltration or to hide their activities.
    Investigative actions: Determine if it is within the user's role to modify the policy. Verify whether the modification of the policy is both legitimate and necessary. Follow further communication with the external tenant or allowed tenants. Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID.

    Variations

    Microsoft Teams external communication policy was modified by an unusual user

    Low overridden

    Microsoft Teams external communication policy was modified. overridden