What events can I configure in Office Protect? 

The Office Protect Monitor allows you to configure the events you want to monitor and define the recipients of Alerts and Digests.

 

Alerts report events with immediate security impact for your tenant. They are sent as they happen.

 

Digests are recaps of recent events and can be used to compile for your review. They are sent at regular intervals.

 

All events are accessible in the REPORT section.

 

To define who receives Alerts and Digests in Office Protect, click HERE

Events that can be configured:

Account Deleted

What Triggers this event?

Any Account deletion in Microsoft 365.

From a security standpoint, deleting accounts is a very common action for vandal hackers that gain access to an organization. From an internal monitoring perspective, account deletion is often a mistake. 

Administrator Role Change

What Triggers this event?

Any change to user permission involving administrator privilege.

Actions causing this event: new administrator created; administrator account deleted; user granted administrator rights; user administrator rights revoked. Privilege escalation is a big part of hacker behavior. Any changes to administrative privileges is a big red flag and should be monitored. The "Principle of Least Privilege" should be followed and as few rights as possible should be given while allowing proper operations. 

Email Impersonation

What Triggers this event?

Any email sent using the Exchange 'Send As' functionality to impersonate someone else.

Exchange allows authorized users to send emails as someone else, transparently. This can be used as part of larger operations, like phishing, or for internal abuse. This differs from 'Send On Behalf', which is much more transparent. Shared mailboxes are excluded from this event. 

Email Transport Rule to External Domain Created

What Triggers this event?

The creation of an Exchange transport rule automatically forwarding emails to an external domain.

This is a common method used by attackers for data extraction. It automatically sends information quietly outside of the business. 

File Shared Publicly (anonymous)

What Triggers this event?

Any sharing of a file from SharePoint or OneDrive in a way that allows anonymous users (i.e. anybody) to access it.

In a business setting, there are few good reasons to share business file with anonymous targets. It defeats all tracking and compliance mechanisms around data extraction. Users should use named shares. 

Health Status Decline

What Triggers this event?

The lowering of your organization’s Health Status.

The Health Status feature gives you an overview of the current security level of your organization. When this security level drops, it exposes more attack surface to potential hackers. 

Health Status Improvement

What Triggers this event?

The improvement of your organization’s Health Status.

The Health Status feature gives you an overview of the current security level of your organization. You might want to be notified when this security level goes back to normal. 

License Assigned

What Triggers this event?

The assigning of an additional license to an existing account.

According to the "principle of least privilege", users should not have access to services they do not require. It also helps you control costs. 

License Removed

What Triggers this event?

The removal of a license from any existing account.

Removing users' licenses is a good way for hackers to disable them. 

Mailbox Access by Non-Owner

What Triggers this event?

Someone other than the owner accessing a mailbox.

Privilege escalation is a big target for hackers. It grants access to multiple accounts without having to hack them individually. This event is a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access. 

Mailbox Access Granted to Non-Owner

What Triggers this event?

The granting of permanent access to someone who is not the owner of the mailbox.

Privilege escalation is a big target for hackers. It grants access to multiple accounts without having to hack them individually. This event is a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access. 

New Account Created

What Triggers this event?

The creation of a new account in Microsoft 365.

You will be alerted to any account creation not initiated by yourself. From a security standpoint: creating a new account is a very common action for hackers that gain access to an organization. From an internal monitoring perspective, you can reduce costs and increase compliance by limiting unauthorized account creation. 

New SharePoint Site Created

What Triggers this event?

The creation of a new site collection.

SharePoint sites can be used for data extraction and can cause data proliferation. They can also generate costs. 

Microsoft 365 Setting Modified Outside Office Protect

What Triggers this event?

Any changes to the settings already applied by Office Protect in Microsoft 365.

Any change made directly in Microsoft 365 that does not reflect the policy you chose in Office Protect is reported. They will often identify users who do not respect security best practices. Changes applied from Office Protect will not trigger this alert. 

SharePoint Site Deleted

What Triggers this event?

The deletion of a site collection.

Vandal hackers can do a lot of damage by deleting SharePoint sites. 

Sign-In From Unauthorized Country

What Triggers this event?

Any user sign-in from an unapproved country.

Any sign-ins from unusual countries should be investigated as possible breaches. If no business explanation is provided, consider suspending the account until the matter is clarified. 

Too Many Logins

What Triggers this event?

Any access to an account at a frequency that exceeds the specified threshold.

Having numerous successful logins for a single account in a short timeframe usually points to the account credentials having been published publicly. Please note that accessing different services (Email, SharePoint, etc.) will count as multiple logins. 

User Accessed with Previously Unknown Device and IP

What Triggers this event?

Any Microsoft 365 account access from a new device or IP address.

We combine the IP address and the user-agent to determine if a user is "known" to the system. While people move, causing IPs to change, and sometimes they change their device and software, causing the user-agent to change; both happening at the same time is less common. Benign example: Login from a public computer while traveling.

 

If you have any question, please browse our other FAQs, or contact us directly.