Setting an alert for file download in Office 365

A very common request I see is people wanting to know when users have downloaded a file from SharePoint Online to their desktop. You can configure an alert to let you know when this does happen. However, I will provide a word of caution here. Remember, that alerting on this state could generate quite a number of alerts and finding the needle in that haystack can be a challenge. Thus, if you want to set these types of alerts, you should put as many filters on monitoring these activities so you don’t end up with a screen full of alerts and become overwhelmed.

You’ll firstly need to navigate to the Security & Compliance center in the Office 365 web portal. You will also need to have the rights to do this.

Here you’ll need to expand the Alerts section on the left and then select the Alert Policies option from the items that appear.

On the right, you should see a list of the existing policies for the tenant.

Select the New alert policy button.

You’ll now be prompted to enter a Name for your policy, a Description, Severity and Category.

When complete, select the Next button at the bottom of the page.

On the next screen select the down arrow to the right of the Select an activity option to display a list of activities as shown above

Scroll down the list until you locate the Downloaded file option, which is under the File and folder activities heading, and select this.

Below this you can select the Add condition button to filter your alert. This allows you to focus the alert to:

a specific IP Address (i.e. where the user is located) and/or

a specific user account and/or

a specific filename and/or

a specific site collection URL and/or

a specific file extension.

You want to take full advantage of these conditions to reduce the number of alerts you’ll receive. Thus, if you are only worried about a single user or perhaps a certain, put those conditions in now.

When complete, select the Next button at the bottom of the window.

Now enter the email addresses of anyone you wish to receive notifications and ensure the Send email notifications option is set.

if you are expecting to receive lots of notifications (which is a bad idea) you may also wish to set the Daily notification limit.

Select the Next button at the bottom of the screen to continue.

Review the settings, make any changes and then select the Finish button. Generally, you will want to ensure the rule is enabled and turned on immediately.

You should now see that your policy appears in the list as shown above, and that it is enabled.

You can edit the policy simply by selecting it from this list.

Now, when a file is downloaded you should receive an email notification as shown above (assuming you have enabled email notifications of course).

You can get more details about the alert by selecting the Investigate button in the email.

Doing so will take you back to the Security & Compliance center and display the alert as shown above.

If you select the View activity list link you will get more details on the activity that triggered the alert.

When I do this I can see the time and date, activity, users, item, IP address and so on in a list as shown above, many of which are also hyper linked so you can get more detail.

Select the Item hyperlink, you will see the above screen and in this case see that the item downloaded was a PowerPoint file for the Marketing site collection.

You can return to this list of Alerts and see this item as shown above. Throughout this process please appreciate that alerts make take a few minutes to appear in emails, notifications and lists, so be patient.

You can select the alert item to drill back into the activity of you need to at any time.

You can also change the status of the alert to help your determine what items have been resolved. Simply change the status to suit and then Save the alert. You can always view alerts by changing the filtering options on the overview page.

There are many different types of alert policies you can set here and you therefore need to judicious in how you configure these. Too many alerts is just as bad as too few alerts so ensure you make them as specific as you can to avoid overload.

You can of course always create alert and leave them disabled until you need them activated.

Remember, there are only a few system alerts configured by default in most tenants. If you want more than these, then you need to go in and configure what you need.

I’m puzzled by new-protectionalert

Microsoft is transitioning Office 365 Activity Alerts which I have talked about configuring here with PowerShell:

Create Office 365 Activity Alerts using PowerShell

to Alert Policies which you can see in the console here:

You will notice that I have been able to go in and create two of my own alerts (test and Test 2). I did this via the web console. I performed this web console configuration on a Microsoft 365 Business tenant.

Working with the web console is the slow way to get things done. PowerShell is best practice if you want to do things quickly and make them repeatable.

My thinking was, if I can configure these alerts in the web console I “should” also be able to that in PowerShell.

Initially, I thought you could using this new PowerShell command:

new-protectionalert

Now the information for this actual command is a bit sparse but I started working backwards from the alerts I created in the web console.

As you can see from the above, when I was able to work out a command that seemed to execute I was greeted with the error:

Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365

Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alert can be created.

which seems to indicate I don’t have the license, but yet I can create what I believe to be an identical alert in the web console. Basically, I just want an alert when someone marks an email as “Phish”.

In Powershell I’m using the parameter:

-filter “Activity.SubmissionType -eq ‘Phish'”

which would seem to me to be the same thing. Yet, I’m told that I don’t have the right license??

In the end, I want to create a PowerShell script that allows me to configure these commands so that they can be easily applied. Currently, at the moment, I’m a bit confused on how to exactly achieve this.

CIAOPS Need to Know Azure Webinar–August 2018

pexels-photo-325229

This month I’m going to take a closer look at one of the automation options in Azure, JSON templates. I’ll show you what they are, how they are created, what the parameter and how to use them in your deployments.

August Azure Webinar Registrations

The details are:

CIAOPS Need to Know Azure Webinar – August 2018
Wednesday 29th of August 2018
2pm – 3pm Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

CIAOPS Need to Know Office 365 Webinar–August

laptop-eyes-technology-computer

Video is an extremely powerful communication mechanism and this month I’m going to take you through the Stream video service that is part of Office 365. You’ll get a better understanding of exactly what Stream is and how it can be used in your business.

You can register for free at:

August Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – August 2018
Wednesday 29th of August 2018
11am – 12am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

There of course will also be open Q and A so make sure you bring your questions for me and I’ll do my best to answer them.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session.

Need to Know podcast–Episode 187

Brenton speaks with Tas Gray and Cam Male about their recent experiences at the Microsoft Inspire conference in Las Vegas. We get to hear what it is like for two first timers to attend one of the biggest Microsoft events of year. We also get to hear the learnings and take aways that Tas and Gray gained from attending. Of course, Brenton and I also update you with all the latest news from the Microsoft Cloud so download, plug in, sit back and enjoy yet another episode of the Need to Know podcast from the CIAOPS.

Take a listen and let us know what you think –feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-187-reactions-on-microsoft-inspire/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Microsoft is hiking prices for Office 2019, Windows 10 Enterprise

New guided deleted user workflow

Notifiable data breach report

New Azure AD roles

CIAOPS O365 online security course – use coupon code = PODCAST

View SharePoint external sharing setting

Many people don’t seem to appreciate that most SharePoint sites in Office 365 are configured for sharing outside the organisation by default. This is designed to allow external parties to more easily access common content.

This means that generally, by default, users of those SharePoint sites (which includes Microsoft Teams) are going to be able to share links to that information. You can obviously disable this if you want, but generally, by default, sharing is enabled.

An easy way to see what the sharing status of your sites is current set to is to run the following PowerShell command after connecting to SharePoint Online:

get-sposite | Select-object url,sharingcapability

This will show you the one of following results:

Disabled – external user sharing (share by email) and guest link sharing both disabled

ExternalUserSharingOnly – external user sharing (share by email) enabled, but guest link sharing disabled

ExistingExternalUserSharingOnly – (DEFAULT) Allow sharing only with external users that already exist in organisation’s directory

ExternalUserAndGuestSharing – external user sharing (share by email) and guest link sharing both enabled

You can then go and make any adjustments you need to.

July Azure Resources

July 2018 Azure Need to Know Webinar from Robert Crane

Slides from this month’s webinar are at:

https://www.slideshare.net/directorcia/july-2018-azure-need-to-know-webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

https://www.ciaopsacademy.com/p/need-to-know-azure-webinars

Watch out for next month’s webinar.

July Office 365 Webinar Resources

July 2018 Office 365 Need to Know Webinar from Robert Crane

Slides from this month’s webinar are at:

https://www.slideshare.net/directorcia/july-2018-office-365-need-to-know-webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.