Office Policy Tampering

let opList = OfficeActivity 
| summarize by Operation
//| where Operation startswith "Remove-" or Operation startswith "Disable-"
| where Operation has_any ("Remove", "Disable")
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
| summarize make_set(Operation, 500);
OfficeActivity
// Only admin or global-admin can disable/remove policy
| where RecordType =~ "ExchangeAdmin"
| where UserType in~ ("Admin","DcAdmin")
// Pass in interesting Operation list
| where Operation in~ (opList)
| extend ClientIPOnly = case( 
ClientIP has ".", tostring(split(ClientIP,":")[0]), 
ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
ClientIP
)  
| extend Port = case(
ClientIP has ".", (split(ClientIP,":")[1]),
ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
ClientIP
)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

name: Office Policy Tampering
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
description: |
  'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. 
  An adversary may use this technique to evade detection or avoid other policy based defenses.
  References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.'  
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: UserId
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ClientIP
    identifier: Address
  entityType: IP
version: 2.0.3
triggerOperator: gt
query: |
  let opList = OfficeActivity 
  | summarize by Operation
  //| where Operation startswith "Remove-" or Operation startswith "Disable-"
  | where Operation has_any ("Remove", "Disable")
  | where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
  | summarize make_set(Operation, 500);
  OfficeActivity
  // Only admin or global-admin can disable/remove policy
  | where RecordType =~ "ExchangeAdmin"
  | where UserType in~ ("Admin","DcAdmin")
  // Pass in interesting Operation list
  | where Operation in~ (opList)
  | extend ClientIPOnly = case( 
  ClientIP has ".", tostring(split(ClientIP,":")[0]), 
  ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
  ClientIP
  )  
  | extend Port = case(
  ClientIP has ".", (split(ClientIP,":")[1]),
  ClientIP has "[", tostring(split(ClientIP,"]:")[1]),
  ClientIP
  )
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])  
tactics:
- Persistence
- DefenseEvasion
kind: Scheduled
queryFrequency: 1d
severity: Medium
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (Exchange)
  connectorId: Office365
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml
relevantTechniques:
- T1098
- T1562