The following repo contains detection rules for changes to your critical security policies. In reality, security policies are often changed by administrators who want to fix a specific problem. These changes either become forgotten, have a way bigger security impact than the administrator might intend, or open up your organisations' defensive measures.
You can find these actions in the logs, but Microsoft doesn't provide alerting by default to these actions. You can use the following KQL rules to create your own alerting.
- Conditional Access rule has been deleted ✔️
- Conditional Access rule has been created ✔️
- Conditional Access rule disabled /enabled ✔️
- Conditional Access rule changed ✔️
- Enterprise applications, admin consent settings is changed 👷
- Anti-Phish policy has been changed ✔️
- Anti-Phish policy has been created ✔️
- Anti-Phish policy has been deleted ✔️
- Anti-Spam Policy has been changed ✔️
- Anti-Spam Policy has been created ✔️
- Anti-Spam Policy has been deleted ✔️
- Anti-Malware Policy has been changed ✔️
- Anti-Malware Policy has been created ✔️
- Anti-Malware Policy has been removed ✔️
- Safe Attachments Policy has been changed ✔️
- Safe Attachments Policy has been created ✔️
- Safe Attachments Policy has been deleted ✔️
- Safe Link Policy has been changed ✔️
- Safe Link Policy has been created ✔️
- Safe Link Policy has been deleted ✔️
- Tenant added to block list ✔️
- Tenant removed from block list 🐛
- Creation of a transport rule ✔️
- Tenant removed from block list does not contain a clear value of the domain/tenant removed from the list
- searches performed via the threatexplorer - https://www.lousec.be/mdo/malicious-admin-reading-your-emails/