Thursday, September 6, 2018

Creating Office 365 Protection Alerts with PowerShell

I’ve previously covered off how to create a new Protection Alert in Office 365 using the web interface:

Setting an alert for file download in Office 365

I’d also tried doing this via PowerShell but ran into some issues:

I’m puzzled by new-protcetionalert

Luckily, after some chasing down, I have learned that I overlooked an important option in my scripting. It seems the option:

-aggregationtype none

needs to be included. This tells the script to only create a single alert at a time. Thus to create a Protection Alert that will tell you of malware in a file in OneDrive for Business or SharePoint you need to run:

New-protectionalert -category $category -name "Detected malware in files" -ThreatType activity –NotifyUser “user@domain.com” -Operation filemalwaredetected -AggregationType none -Severity High

You’ll first need to connect to the Security and Compliance center with PowerShell before you can run this command.

image

If you then at the Alert Policies you should see the above.

image

Interestingly, when you look at the activity that will trigger the alert you see the above, which doesn’t provide you any indication of what the activity for the alert actually is. You will also notice that I can’t edit the activity or much else on the alert once it has been created via PowerShell.

However, I do know that setting Protection alerts via PowerShell does work so I’m happy that I can do bulk add alerts via a script. I just that one option.