← Back to SOC feed Coverage →

Hunt for TABL changes

kql MEDIUM Azure-Sentinel
T1562
CloudAppEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may modify Tenant Allow/Block List (TABL) settings to bypass email filtering and exfiltrate data. SOC teams should proactively hunt for TABL changes in Azure Sentinel to identify potential exfiltration attempts and unauthorized access to sensitive communications.

KQL Query

CloudAppEvents
| where ActionType contains "TenantAllowBlockListItems"
| order by Timestamp desc

Analytic Rule Definition

id: bc2d8214-afb6-4876-b210-25b69325b9b2
name: Hunt for TABL changes
description: |
  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
description-detailed: |
  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - DefenseEvasion
relevantTechniques:
  - T1562
query: |
  CloudAppEvents
  | where ActionType contains "TenantAllowBlockListItems"
  | order by Timestamp desc
version: 1.0.0

Required Data Sources

Sentinel TableNotes
CloudAppEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/Hunt for TABL changes.yaml