Microsoft Teams application setup policy was modified

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-01-14

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Office 365 Audit
Detection Modules	Identity Threat Module
Detector Tags	Microsoft Teams
ATT&CK Tactic	Defense Evasion (TA0005) Persistence (TA0003)
ATT&CK Technique	Impair Defenses (T1562) Cloud Application Integration (T1671)
Severity	Informational

Microsoft Teams the application setup policy, which is responsible for application management, was modified.

Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.

Determine if it is within the user's role to modify the policy.
Verify whether the modification of the policy is both legitimate and necessary.
If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity.
Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Microsoft Teams the application setup policy, which is responsible for application management, was modified.

Attackers may modify the application setup policy to maintain persistent access to compromised Teams accounts and conversations.

Determine if it is within the user's role to modify the policy.
Verify whether the modification of the policy is both legitimate and necessary.
If the policy change causes an application installed for the whole organization, confirm that the application was created by a certified and trusted entity.
Correlate the event with its sign-in event to get additional information on the identity performing the action using the session ID or the unique token identifier.