Office 365 Security and Compliance – Alert When A Specific File Is Accessed

When a very important file stored in OneDrive needs to be monitored. This is how to create an alert on file activity. We specifically want to monitor and alert on any activity done to the specific file by any user.

This example file is called HR.doc and is stored in OneDrive.

This is how we created an alert policy for file activity of the file “HR.doc”.

Open Office 365 Security & Compliance

https://protection.office.com/alertpolicies

Alerts > Alert Policies > New Policy

Options selected

  • Status – Enabled
  • Severity – Medium
  • Category – Information Governance
  • Conditions – Activity is File Activity and File name is HR.doc
  • Scope – All Users
  • Email Recipients – email address
  • Limit the number of notifications – optional. 5 in this example

Test the alert by trying to modify or access the file.

Result

Alert email notification as shown below.

This logs an alert which then should be reviewed and investigated

Action the Alert

Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results

If you’re doing some compliance investigation work, you may need to search a user’s mailbox for specific words.

This is how To Search Email Content in Office 365 Security & Compliance for a specific user which sent email containing a specific word then export results.

Reference guides – Content search

Microsoft Docs Content Search

Microsoft Docs Export Search

Content Search : How to search a mailbox for specific keywords and export the data

Mircosoft 365 Admin Center -> Compliance Admin Center

Content Search > + New Search

New Search > Keywords “Blog” example > Specific Locations > Modify > Choose Users, Groups or Teams

Enter users name > Select > Choose

Done > Save > Save & Run > Save Search

This search will trigger a default alert email to be sent out

Next step, Export the results

Unable to preview results problem or export?

If you cannot preview, you need to add a role to the user account, eDiscovery Administrator role (Example) or eDiscovery Manager for specific cases / Compliance Admin / Compliance Data Administrator

You must sign out and sign in for the groups to take effect.

Now back to the search

After the you can see the preview, now you can click Export

Click Export > ReportsOnly or Export > Copy to clipboard export key > Download report > Install eDiscovery Export Tool

Export tool installs

Use the Export Key and Set a directory. 

File Downloads

Now you can open the report exported