Monitoring

Configuring the Monitor in Office Protect

SynopsisThis guide explains how to configure Monitor in Office ProtectPrerequisiteYou must have an Office Protect accountHow toThe Office Protect Monitor allows you to configure the events you want to monitor and define the recipients of Alerts and Digests. Alerts report events with immediat...

7/17/2025 4:45:53 PM

How to create a rule to automatically ignore events

When you receive a security event you consider as a false alarm, Office Protect allows you to create a rule to automatically ignore future similar events based on the event's criteria. You will not be alerted anymore on events In this article:Access to the featureCreate a ruleReview existing...

7/17/2025 4:46:20 PM

How to define who receives Alerts and Digests in Office Protect

SynopsisHow to define who receives Alerts and Digests in Office ProtectPrerequisiteYou must have an Office Protect accountHow toOffice Protect Monitor allows you to configure the events you want to monitor and define the recipients of Alerts and Digests. Alerts report events with immedi...

7/17/2025 4:46:53 PM

How to investigate Office Protect alerts: Microsoft 365 Audit Logs

When we suggest remediation to an alert, we will often recommend that you investigate suspicious activity by looking at the audit logs for the user. There are two key audit logs you can look through to drive your investigation:The Azure Active Directory Sign-In Audit Logs will provide extensive d...

7/1/2025 3:29:22 PM

How to receive Alerts and Digests in Teams

Microsoft Teams can receive and display emails directly in a channel making it a great way to share your security alerts amongst your technical team as they come in.  The connection requires very little setup and starts working immediatly. Simply follow these steps to make any channel the ta...

7/17/2025 4:47:21 PM

Office Protect - Monitor Overview

This module is meant to configure how Office Protect monitors your tenant. Monitoring records all real-time activities for your Microsoft 365 tenant and generates events for suspicious activities that will be sent through email.Monitor Profile You can set up your tenant quickly by selecting ...

7/17/2025 4:47:49 PM

Office Protect - Security Events details

NEW - We have added more details about IP addresses detected in security eventsHow to access a security event details?What can I find in my security event details?How to access a security event details?In the Report section, click on any security event displayed in the tableIn the Alert email, cl...

7/17/2025 4:48:28 PM

Office Protect Event - Account Deleted

This event warns of any account deletion from Azure Active Directory.For security: deleting accounts is a very common action for vandal hackers that gain access to an organization.For internal monitoring: account deletion is often a mistake.Office Protect includes the name of the admin who delete...

7/17/2025 4:48:58 PM

Office Protect Event - Administrator Role Change

Multiple types of actions can trigger this event: New administrator createdAdministrator account deletedUser granted administrator rightsUser revoked administrator rightsPrivilege escalation is a big part of hacker behavior. Any changes to administrative privileges should be a big red flag a...

7/1/2025 3:32:27 PM

Office Protect Event - Application Permissions Change

This event is raised whenever Office Protects detects a change in an application's permissions.Hackers may attempt to silently gain access to sensitive information or carry out malicious activities by escalating an application's permissions. Removing permissions can also block critical business o...

7/1/2025 3:33:01 PM

Office Protect Event - Email Impersonation

Exchange gives the ability for authorized users to send emails as someone else. This can be used as part of larger operations that include phishing, or for internal abuse. This differs from using “Send On Behalf” which is much more transparent. Shared mailboxes are ignored for this event.Rem...

7/1/2025 3:33:36 PM

Office Protect Event - File Shared Publicly (anonymous)

In a business setting, there are few good reasons to share business file to anonymous targets. It defeats all tracking and compliance mechanism around data extraction. Users should always share files to specific users or guests.This event is triggered when a user creates a link to a file using th...

7/17/2025 4:49:10 PM

Office Protect Event - Item deleted from Retention Mechanism

This event triggers when files are deleted manually from retention mechanisms like the recycle bin's recycle bin.Vandal hackers trying to remove files permanently will delete them from the retention mechanism. This almost never happens in regular business operations. This event triggers when item...

7/17/2025 4:49:21 PM

Office Protect Event - License assigned

Whenever an additional license is assigned to an existing account, this event will trigger.According to the "Principle of Least Privilege", users should not have access to services they do not require. It also helps you control license costs. RemediationWe recommend auditing your licenses re...

7/1/2025 3:35:23 PM

Office Protect Event - License removed

Whenever a license is removed from an existing account, this event will trigger. Removing user licenses is a good way for hackers to disable users. Remediation Repeated license removal, or license removal from key users in your organization should be investigated and the account from wh...

7/1/2025 3:35:57 PM

Office Protect Event - Mail Forwarding Rule(s) to External Destination Created

If an Exchange rule is created to automatically forward emails to a mailbox outside your organization, this event will trigger.This is a common method used by attackers for data extraction. It automatically sends information quietly out of the business. Office Protect monitors Mail Forwarding Rul...

7/1/2025 3:36:32 PM

Office Protect Event - Mailbox Access by non-owner

Whenever someone who is not the owner accesses a mailbox, this event will trigger. Privilege escalation is a big target for hackers. One reason is that it grants access to multiple accounts without having to hack them all. This event is a sign that a hacker is exploring your data. It can als...

7/1/2025 3:37:06 PM

Office Protect Event - Mailbox Access granted to Non-Owner

Whenever access to a mailbox is permanently granted to someone who is not the owner of the mailbox, this event will trigger. Privilege escalation is a big target for hackers, as it grants access to multiple accounts without having to hack them all. This event can be a sign that a hacker is e...

7/1/2025 3:37:41 PM

Office Protect Event - Microsoft 365 setting enforced by Office Protect

Each time Office Protect detects a change in your Microsoft 365 configuration and automatically reapplies the setting, this alert is generated.Affected settings, if enabled on your tenant (see Set section): Audit Logs Always-On, Exchange Scripting (Powershell) Access, Flag Phi...

7/1/2025 3:38:15 PM

Office Protect Event - New Account Created

You will be warned of any account creation not initiated by you. From a security standpoint, creating a new account is a very common action for hackers that gain access to an organization. For internal monitoring: you can reduce cost and increase compliance by limiting accounts created without ap...

7/1/2025 3:38:50 PM

Office Protect Event - New SharePoint Site Created

SharePoint sites can be used for data extraction and can cause data proliferation. They can also generate costs for storage usage. Therefore, we recommend auditing site and storage usage regularly to avoid extra costs, but also to audit site and data access within your organization, to avoid acce...

7/1/2025 3:39:25 PM

Office Protect Event - New Teams App Installed

This event warns of any new application installed in Teams for the first time, whether it is installed org-wide, in a meeting, in a conversation, or in a specific team.Office Protect includes the application name and ID as well as the name and email of the user who installed it to allow you to in...

7/17/2025 4:49:27 PM

Office Protect Event - SharePoint Site Deleted

Whenever a site collection is deleted, this event will trigger.Vandal hackers can do a lot of damage by deleting SharePoint sites, since the organization might lose access to a significant amount of data. We will also alert you if a site is deleted from the second level recycle bin.RemediationIn ...

7/1/2025 3:40:36 PM

Office Protect Event - Sign-In from Unauthorized Country

Any sign-ins from unusual countries should be investigated as possible breaches. If no business explanation is provided, consider suspending the account until the matter is clarified.You can configure countries from which sign ins Office Protect will alert you.Une image contenant texte ...</p> <small class=7/17/2025 4:49:39 PM

Office Protect Event - Suspicious Inbox Rule Detected

This event is raised whenever Office Protect detects a suspicious inbox rule created or updated on a mailbox.When hackers gain access to Exchange user accounts, they might create inbox rules to:Divert specific emails away from the user's inbox, such as security alerts, password reset request...

7/1/2025 3:41:45 PM

Office Protect Event - User Accessed with Previously Unknown Device and IP

We combine the IP address and the user agent to determine if a user is "known" to the system. A user-agent is the means the users connected to Microsoft 365, it may be through a device (phone or computer), or through a new combination of web browser and IP.Remediation:While people move, causing I...

7/1/2025 3:42:21 PM

Office Protect Event - User Consented to an App

This event warns you that a user granted consent to an application in Microsoft 365. When a user gives permissions to an external application, the event will trigger.Application consent can be on behalf of the user itself or made on behalf of the organization, meaning that consent is given to all...

7/1/2025 3:42:56 PM

Office Protect events - Remediation actions

From the security event details page accessible in the Report section by clicking on an event, or through the "View event in Office Protect" link in the security events notifications, you can now perform remediation actions to act quickly and avoid potential damage if there is a compromise on you...

7/17/2025 4:50:22 PM

Office Protect Health Status - Global Administrator account(s) used for non-admin activities

Global Administrator accounts have unrestricted access to all Microsoft 365 services and data. Using them for everyday, non-administrative tasks (such as reading emails, joining meetings, or browsing SharePoint) exposes them unnecessarily to threats like phishing or token theft.Best practice is t...

7/1/2025 3:44:12 PM

Office Protect Health Status - Invalid Domain(s) Spoofing Prevention Configuration (SPF)

How do SPF work? An SPF (Sender Policy Framework) record is a type of DNS TXT record that specifies which mail servers are authorized to send emails on behalf of a domain. SPF helps prevent email spoofing (when an attacker forges an email to make it look like it’s coming from a legitimate domain)...

7/8/2025 10:07:52 PM

What events can I configure in Office Protect?

The Office Protect Monitor allows you to configure the events you want to monitor and define the recipients of Alerts and Digests. Alerts report events with immediate security impact for your tenant. They are sent as they happen. Digests are recaps of recent events and can be used ...

7/1/2025 3:45:30 PM