When a very important file stored in OneDrive needs to be monitored. This is how to create an alert on file activity. We specifically want to monitor and alert on any activity done to the specific file by any user.
This example file is called HR.doc and is stored in OneDrive.
This is how we created an alert policy for file activity of the file “HR.doc”.
Open Office 365 Security & Compliance
Alerts > Alert Policies > New Policy
- Status – Enabled
- Severity – Medium
- Category – Information Governance
- Conditions – Activity is File Activity and File name is HR.doc
- Scope – All Users
- Email Recipients – email address
- Limit the number of notifications – optional. 5 in this example
Test the alert by trying to modify or access the file.
Alert email notification as shown below.
This logs an alert which then should be reviewed and investigated
Action the Alert
Security and Compliance Admin Center in Office 365 you can create alert policys.
Todays challenge was to setup an Alert Policy so an admin is notifed if a user adds a file to OneDrive or SharePoint containing Malware.
Start in “Office 365 Security & Compliance > Alerts Dashboard > New Alert Policy
I started by creating an Alert, selecting Threat Management & High Severity
Set the Trigger “Detected malware in file”
Select the Admins to be notified. I set a daily limit notification limit of 5 so I’m not get overloaded with the same alert.
Then “Finish” you have the option to turn the policy on or off
View “Alert polices”
Be careful, if an email account has been compromised, you might receive a genuine looking email which will pass through your spam filter. As an example, I have just received an email from “FirstName.LastName@”Domain Name Remove”.co.uk”. This was confirmed with a quick phone call to the company where I was informed the account had been hacked and I should delete the spam email. This post is just to raise awareness. The companies name is covered intentionally, as is their website.
Some basic warning signs were there:
- No branding
- No reference or invoice number
- Somewhere to click.
Some more interesting features are:
The link – Simply hover over the PDF link to reveal that well known domain “1drv.ms”. A OneDrive shared link, in theory a trusted source, but why not just attach a PDF if the mail is genuine?
The email domain was linked to a genuine company @”Domain Name Removed”.co.uk – this genuine victim being used as a cover.
The target was obviously selected based on a hot topic in the media they deal with.
And the different firstname.lastname@example.org domain you can purchase was a nice discovery.