Views:

The Office Protect Monitor allows you to configure the events you want to monitor and define the recipients of Alerts and Digests.

  • Alerts report events with immediate security impact for your tenant. Notifications are sent as events occur, or in hourly batches if the volume is high.

  • Digests are recaps of recent events and can be compiled for your review. They are sent weekly.

 All events are accessible in the Report section.

Events that can be configured

 

Account Deleted

  • Trigger: Any account deletion in Microsoft 365.

  • From a security standpoint, deleting accounts is a very common action for vandal hackers that gain access to an organization. From an internal monitoring perspective, account deletion is often a mistake. 

     

 

Administrator Role Change

  • Trigger: Any changes to a user's permissions involving administrator privilege: new administrator created; administrator account deleted; user granted administrator rights; user administrator rights revoked.

  • Privilege escalation is a big part of hacker behavior. Any changes to administrative privileges is a big red flag and should be monitored. The "Principle of Least Privilege" should be followed and as few rights as possible should be given while allowing proper operations. 

     

 

Application Permissions Change

  • Trigger: Any changes to an application’s permissions.

  • Privilege escalation is a big part of hacker behavior. Any changes to applications’ permissions should be monitored. The "Principle of Least Privilege" should be followed and as few rights as possible should be given while allowing proper operations.

 

Email Impersonation

  • Trigger: Any email sent using the Exchange 'Send As' functionality to impersonate someone else.

  • Exchange allows authorized users to send emails as someone else, transparently. This can be used as part of larger operations, like phishing, or for internal abuse. This differs from 'Send On Behalf', which is much more transparent. Shared mailboxes are excluded from this event. 

     

 

Email Transport Rule to External Domain Created

  • Trigger: The creation of an Exchange transport rule automatically forwarding emails to an external domain.

  • This is a common method used by attackers for data extraction. It automatically sends information quietly outside of the business. 

 

File Shared Publicly (anonymous)

  • Trigger: Any sharing of a file from SharePoint or OneDrive in a way that allows anonymous users (i.e. anybody) to access it.

  • In a business setting, there are few good reasons to share business file with anonymous targets. It defeats all tracking and compliance mechanisms around data extraction. Users should use named shares. 

 

Health Status Decline

  • Trigger: The lowering of your organization’s Health Status.

  • The Health Status feature gives you an overview of the current security level of your organization. When this security level drops, it exposes more attack surface to potential hackers. 

 

Health Status Changed

  • Trigger: The change in underlying data on a Health Status in critical state.

  • The Health Status feature provides an overview of your organization’s current security level. A Critical status indicates that vulnerabilities or risks remain high, exposing your environment to potential threats.

 

Health Status Improvement

  • Trigger: The improvement of your organization’s Health Status.

  • The Health Status feature gives you an overview of the current security level of your organization. You might want to be notified when this security level goes back to normal. 

 

Item Deleted from Retention Mechanism

  • Trigger: The manual deletion of a file/folder from retention mechanisms like the recycle bin's recycle bin.

  • Vandal hacker trying to remove files permanently will delete them from retention mechanism. This almost never happens in regular business operations. This event triggers when items are deleted from SharePoint's 2nd level recycle bin. The normal automatic cleaning of the items from the retention mechanisms will not trigger this event.

 

License Assigned

  • Trigger: The assigning of an additional license to an existing account.

  • According to the "principle of least privilege", users should not have access to services they do not require. It also helps you control costs. 

 

License Removed

  • Trigger: The removal of a license from any existing account.

  • Removing users' licenses is a good way for hackers to disable them. 

 

Mailbox Access by Non-Owner

  • Trigger: Access to a mailbox by someone other than the owner.

  • Privilege escalation is a big target for hackers. It grants access to multiple accounts without having to hack them individually. This event is a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access. 

 

Mailbox Access Granted to Non-Owner

  • Trigger: The granting of permanent access to someone who is not the owner of the mailbox.

  • Privilege escalation is a big target for hackers. It grants access to multiple accounts without having to hack them individually. This event is a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access. 

 

New Account Created

  • Trigger: The creation of a new account in Microsoft 365.

  • You will be alerted to any account creation not initiated by yourself. From a security standpoint: creating a new account is a very common action for hackers that gain access to an organization. From an internal monitoring perspective, you can reduce costs and increase compliance by limiting unauthorized account creation. 

 

New SharePoint Site Created

  • Trigger: The creation of a new site collection.

  • SharePoint sites can be used for data extraction and can cause data proliferation. They can also generate costs. 

 

New Teams App Installed

  • Trigger: The installation of a new application by a user for the first time in Teams.

  • It's essential to closely audit apps that are installed by your users. An app that has been certified by Microsoft may seem harmless on its own, but these might also have vulnerabilities that can expose company data. We recommend that you restrict app installation and consent in Teams to Admins.

 

Microsoft 365 setting enforced by Office Protect

  • Trigger: The automatic reapplication of a setting by Office Protect.

  • Each time Office Protect detects a change in your Microsoft 365 configuration and automatically reapplies the setting, an alert will be generated.

  • Affected settings, if enabled: Audit Logs Always-On, Exchange Scripting (PowerShell) Access, Flag Phishing Emails using Tenant Domain or Staff Name and Mailbox Audit Logs Always-On. 

    If Office Protect cannot automatically reapply the setting, you will also be alerted. Changes applied from Office Protect do not trigger the alert.

 

Microsoft 365 Setting Modified Outside Office Protect

  • Trigger: Any changes to the settings already applied by Office Protect in Microsoft 365.

  • Any change made directly in Microsoft 365 that does not reflect the policy you chose in Office Protect is reported. They will often identify users who do not respect security best practices. Changes applied from Office Protect will not trigger this alert. 

 

SharePoint Site Deleted

  • Trigger: The deletion of a site collection.

  • Vandal hackers can do a lot of damage by deleting SharePoint sites. 

 

Sign-In From Unauthorized Location

  • Trigger: Any user sign-in from an unapproved country or from an anonymous proxy.

  • Any sign-ins from unusual countries or anonymous proxies should be investigated as possible breaches. If no business explanation is provided, consider suspending the account until the matter is clarified. You can select the countries you would like to authorize, and choose whether to be alerted for sign-ins from anonymous proxies. If you enable the anonymous proxy option, sign-ins from anonymous proxies will also trigger an alert, even if the country is authorized.

 

Suspicious Inbox Rule Detected

  • Trigger: The creation of a suspicious inbox rule on a mailbox. The rule is considered suspicious based on its name or the actions it performs.

  • Malicious inbox rules are frequently created by hackers who gain access to a mailbox. While it can be difficult to analyze each inbox rule created in your tenant, any inbox rule not named properly or redirecting messages to specific folders should be checked.

 

Too Many Logins

  • Trigger: Any access to an account at a frequency that exceeds the specified threshold.

  • Having numerous successful logins for a single account in a short timeframe usually points to the account credentials having been published publicly. Please note that accessing different services (Email, SharePoint, etc.) will count as multiple logins. 

 

User Consented to an App

  • Trigger: Any consent granted by a user to an application.

  • Registered applications in Entra ID may request to access data such as contact information, email, documents, etc., either for a single user or for all users (requires an Admin). This makes it a target of choice for the hackers, to impersonate a legitimate application to access user data, as well as credentials. Also, it is possible that a legitimate application may be compromised, which may lead to user credential leaks. We recommend being careful with applications that require admin permission to consent on behalf of all users, as this can potentially expose a very large amount of M365 sensitive data.

 

User Accessed with Previously Unknown Device and IP

  • Trigger: Any Microsoft 365 account access from a new device and a new IP address.

  • We combine the IP address and the user-agent to determine if a user is "known" to the system. While people move, causing IPs to change, and sometimes they change their device and software, causing the user-agent to change; both happening at the same time is less common. Benign example: Login from a public computer while traveling.

 

If you have any question, please browse our other FAQs, or contact us directly.