Adversaries may disable or bypass Safe Attachments and Safe Documents policies to exfiltrate malicious files through SharePoint, OneDrive, or Teams. SOC teams should proactively hunt for this behavior to identify potential exfiltration attempts and prevent data loss in their Azure Sentinel environment.
KQL Query
CloudAppEvents
| where Application == "Microsoft Exchange Online"
| where ActionType == "Set-AtpPolicyForO365"
| mv-expand ActivityObjects
| extend Name = tostring(ActivityObjects.Name)
| extend Value = tostring(ActivityObjects.Value)
| where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen")
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
id: 518e6938-10ef-4165-af19-82f1287141bc
name: ATP policy status check
description: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
description-detailed: |
This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CloudAppEvents
| where Application == "Microsoft Exchange Online"
| where ActionType == "Set-AtpPolicyForO365"
| mv-expand ActivityObjects
| extend Name = tostring(ActivityObjects.Name)
| extend Value = tostring(ActivityObjects.Value)
| where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen")
| extend packed = pack(Name, Value)
| summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
| evaluate bag_unpack(PackedInfo)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Compliance Audit Job
Description: A scheduled job runs to audit ATP (Advanced Threat Protection) policies as part of routine compliance checks.
Filter/Exclusion: where AuditJobName contains "Compliance Audit" or AuditJobName contains "Scheduled Audit"
Scenario: Admin Manual Policy Review
Description: An admin manually reviews the ATP policy configuration using the Microsoft 365 Compliance Center or the Microsoft Defender for Office 365 admin center.
Filter/Exclusion: where UserEmail contains "admin@domain.com" or UserEmail contains "security@domain.com"
Scenario: Policy Sync Between Tenants
Description: A cross-tenant policy synchronization task triggers a configuration audit when policies are being synced between Microsoft 365 tenants.
Filter/Exclusion: where SourceTenantId != TargetTenantId or ActivityType contains "Tenant Sync"
Scenario: Automated Policy Update via PowerShell
Description: A PowerShell script or automation tool updates ATP policies across multiple environments, which may trigger configuration audit events.
Filter/Exclusion: where ProcessName contains "powershell.exe" or ScriptName contains "Update-ATPPolicy.ps1"
Scenario: Third-Party Tool Integration
Description: A third-party security tool or SIEM integration periodically checks ATP policy status for correlation with other security data.
Filter/Exclusion: where SourceSystem contains "SIEM" or SourceSystem contains "ThirdPartyTool"