Create Office 365 Activity Alerts using PowerShell

In a previous article:

I detailed how to create Office 365 Activity alerts using the browser. I will point out how important it is to have appropriate alerts set for your tenant, especially when you generally don’t get many configured . your tenant by default.

Of course doing administration tasks via a browser is the slow way to get things done. A much better approach is to use PowerShell and let the script do the heavy lifting.

The first step in this process is to take a look at the following article:

Search the audit log in the Office 365 Security and Compliance center

and locate the heading – Auditing activities which contains a list of the actions that will trigger an alert. There are plenty of things here so pick those that make the most sense and remember that lots and lots of alerts generally doesn’t improve security, it simply creates information overload.

The alert I’ll chose to illustrate is FileMalwareDetected.

Next step is connect to the Office 365 Security and Compliance Center with PowerShell. I’m not going to show you how to do that here as it is easily located elsewhere like here:

Connect to Office 365 Security & Compliance Center PowerShell

With that done, you can now execute the actual commands to configure activity alerts with PowerShell.

$fileandpagepolicyparams = @{
“Name” = “File and Page Alert”;
“operation” = “Filemalwaredetected”;
“notifyuser” = $notifyusers;
“userid” = $userids;
“Description” = “SharePoint anti-virus engine detects malware in a file.”;
}

$result=New-ActivityAlert @fileandpagepolicyparams

Basically, what I’m doing here is creating an array called $fileandpagepolicyparams that contains all the options required for the command that will set the alert. Doing it this way makes it easier to what’s going on and make any additions if needed in my opinion.

The New-ActivityAlert command takes all those array parameters as inputs when an alert is now created.

The $notifyusers are the users you want to receive emails when alerts occurs. The $userids are the users you wish to trigger alerts. If you leave $userids empty it will apply the alert to all users in the tenant.

You can see the result above once that command is run.

Now the idea is to build a script that configures all the activity alerts you desire and then apply them to a tenant.

As you can see above, I generally create about a dozen or so alert policies this way that monitor for a range of activities I believe should have alerts configured for. However, you need to decide what makes sense for you.

Now be very, very careful when you configure activity alerts via PowerShell. Ensure you get all the parameters 100% correct and you check the alert policies in the web interface when you are testing your script, because errors in the script don’t get reported and you end configuring an activity alert that does nothing all because you got a parameter wrong!

Enabling Office 365 mailbox auditing

You may not be aware that by default Office 365 mailbox auditing isn’t turned on. Don’t believe me? Well check out this article, especially the first paragraph:

Enable mailbox auditing in Office 365

which says:

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn’t turned on. That means mailbox auditing events won’t appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

If you want to check your own tenant then connect to Exchange Online with PowerShell and run this command:

get-mailbox | select userprincipalname,auditenabled

You’ll probably see that all the mailboxes don’t have auditing enabled.

To enable auditing, simply run this command:

Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

and then run the first command again to verify it is now enabled for all mailboxes.

You also need to appreciate that out of the box, not all items are audited and you may need to adjust these options, also using PowerShell. The options you can audit for are:

Mailbox auditing actions

I’ll cover how to set these in an upcoming article.

Configuring an Office 365 SPAM filtering policy with PowerShell

I recently wrote an article that shows you how to configure the spam policy in Office 365 using the web interface. If you missed that you can find it here:

Configuring an Office 365 SPAM filtering policy

Doing this multiple times via the web interface is a lot of work. A better approach is to use PowerShell. So once, how have connected to Exchange Online PowerShell, run these two commands:

$policyparams = @{
“name” = “Configured Policy”;
‘Bulkspamaction’ = ‘movetojmf’;
‘bulkthreshold’ = ‘7’;
‘highconfidencespamaction’ = ‘movetojmf’;
‘inlinesafetytipsenabled’ = $true;
‘markasspambulkmail’ = ‘on’;
‘increasescorewithimagelinks’ = ‘off’
‘increasescorewithnumericips’ = ‘on’
‘increasescorewithredirecttootherport’ = ‘on’
‘increasescorewithbizorinfourls’ = ‘on’;
‘markasspamemptymessages’ =’on’;
‘markasspamjavascriptinhtml’ = ‘on’;
‘markasspamframesinhtml’ = ‘on’;
‘markasspamobjecttagsinhtml’ = ‘on’;
‘markasspamembedtagsinhtml’ =’on’;
‘markasspamformtagsinhtml’ = ‘on’;
‘markasspamwebbugsinhtml’ = ‘on’;
‘markasspamsensitivewordlist’ = ‘on’;
‘markasspamspfrecordhardfail’ = ‘on’;
‘markasspamfromaddressauthfail’ = ‘on’;
‘markasspamndrbackscatter’ = ‘on’;
‘phishspamaction’ = ‘movetojmf’;
‘spamaction’ = ‘movetojmf’;
‘zapenabled’ = $true
}

new-hostedcontentfilterpolicy @policyparams

The first basically sets up an array of all the parameters you are going to see into the spam policy. It makes it easier to adjust if you need to.

The second command creates a new policy based off this array that will be called ‘Configured Policy’.

However, after running these two commands you aren’t quite done yet because you have created the policy BUT you actually need to create a rule that uses this policy to do that use the following:

$ruleparams = @{
‘name’ = ‘Configured Recipients’;
‘hostedcontentfilterpolicy’ = ‘Configured Policy’;
## this needs to match the above policy name
‘recipientdomainis’ = ‘domain.com’;
## this needs to match the domains you wish to protect in your tenant
‘Enabled’ = $true
}

New-hostedcontentfilterrule @ruleparams

You’ll need to ensure the policy names match as noted and you include the domains you wish to protect.

Once this has been completed, if you go and look in your Exchange Admin area, under protection and spam filter, you should see a new policy called ‘Configured Recipients’ that was created by the above script commands.

Save the script away and run it as many times as you need. That should make life easier!

Using Microsoft 365 to secure information

Focusing on security with Microsoft 365 Business from Robert Crane

Here’s a presentation I did recently on security using Microsoft 365 Business. You can download the slides here:

https://www.slideshare.net/directorcia/focusing-on-security-with-microsoft-365-business

Configuring an Office 365 SPAM filtering policy

A common complaint I hear about Office 365 from IT Professionals is that it doesn’t filter spam as well as other third party solutions. My immediate question at that point is always “Well, have you actually gone in and configured ANY of the spam settings in Office 365 to improve your results?” to which the answer is always No. Thus, if you don’t take the time to customise what you get out of the box you’ll only get an out of the box solution which is probably not what you want! Thus, some configuration is required for EVERY Office 365 tenant to improve its spam filtering abilities.

The out of the box spam settings for Office 365 are not configured in an aggressive manner and you should go in and make changes from the defaults I would suggest. Here’s how to do that.

You’ll firstly need to login to the Office 365 portal as an administrator with rights to make changes. You’ll need to then navigate to the Office 365 Admin Center and select from the Admin centers on menu on the left hand side. You’ll find the Admin centers option right at the bottom.

From the list of options that now appear select Exchange as shown above.

This will take you to the Exchange Admin center as shown above. In here select the protection option on the left and then spam filter on the right.

You will then typically see a single policy called Default.

With this default policy selected, press the edit button (pencil) from the menu to view what settings this default policy has.

Select the different menu options on the left to view all the settings. Most you will see, like in the advanced settings shown above, are set to off.

You can of course edit this default policy, however it is better practice to go back to the list of policies and create a new one and leave the default one in place.

When you create a new policy using the plus button (+) a new dialog will appear like show above.

Give the new policy a name and now scroll through the settings to configure them for your needs.

When you reach the advanced options towards the bottom you’ll see a number of options that can set on or off. The crowd sourced results I obtained for these were:

Image links to remote sites = OFF

Numeric IP addresses = ON

URL redirect to other port = ON

URL to .biz or .info websites = ON

Empty messages = ON

Javascript or VBScript in HTML = ON

Frame or iFrame tags in HTML = ON

Object tags in HTML = ON

Embed tags in HTML = ON

Form tags in HTML = ON

Web bugs in HTML = ON

Apply sensitive word list = ON

SPF record hard fail = ON

Conditional sender ID hard fail = ON

NDR backscatter = ON

You can then set whether the policy will simply run in test mode if you wish.

The final option is to determine where this policy will apply. Normally you want this across all your domains and users but as you see, you can have different policies for different users and domains if you wish.

All you now need to do is save the policy and start monitoring the results.

Hopefully, you can now see that out of the box Office 365 does take a very relaxed approached to spam which is not uncommon for most spam protection products. You can, and should, of course go in and configure the available options to be more restrictive. When you do this you will of course get much better results.

This post showed you how to make spam filter setting via the web interface, a much better and more consistent approach across many tenants is to do this using PowerShell. Look out for an upcoming article on this.

SPAM filtering in Office 365–Best practice results

Recently, I asked people to vote on the settings in Office 365 Spam protection they believe should be made active to improve protection. That survey will continue to run and you can add your voice here:

http://bit.ly/o365spam

However, with just over 30 votes as I write this I think we can draw some indications of what the best practice options are going to be.

So let’s start with the ones that should be definitely turned on based on a majority of votes for that condition:

URL direction to another port = ON

Backscatter = ON

SPF Hard fail = ON

Scripts in HTML = ON

Numeric IP addresses in URL = ON

Apply sensitive words list = ON

Empty Messages = ON

Web Bugs = ON

Condition Sender hard fail = ON

Form Tags in HTML = ON

Frame or iFrame tags in HTML = ON

Embed Tags in HTML = ON

Next, the one’s that should be off are:

Image links in Remote Site = OFF

Lastly, border line results that you probably want to set on if you want aggressive anti spam or off if you want relaxed.

Object tags in HTML = ?

URL to .INFO or .BIZ sites = ?

I’ll leave the survey running and you can check the results at any time in the future here.

In upcoming post I’ll show you how to set these options inside Office 365. However, thanks to the wisdom of the crowd (thanks to all who voted) we have an idea of what the settings should be.

SPAM filtering Office 365–Help shape a best practice

I hear a lot of people say that they don’t find Office 365 anti-spam filtering as good as other providers. My reply to that is – “Have you ever actually gone in and configured the settings from what is there by default?”. Unsurprisingly, the answer is always No.

The out of the box spam settings you get with Office 365 are designed for the “average” and probably configured for the least business interruption (i.e. less aggressive classification of what is spam). Thus, to get the optimal level of filtering you desire, it is recommended that you go and set the options the way that you want.

I have configured my tenant for the way I wish to handle spam but that is probably not exactly the best place for people to start. So with that in mind I thought that I’d call on the power of the crowd and offer up a survey were people can nominate what they consider to be major indicators of spam, based on the policy options that Microsoft provide. You’ll find that survey here:

http://bit.ly/o365spam

which I encourage you to fill out and share with everyone else.

The idea is that once the results are in I report back on an overall “best practices” starting policy that the majority would feel comfortable with. I can then also show you how to exactly configure that in Office 365.

So please take a moment to complete the survey and share you expertise and thought on the ‘best practice’ approach of configure anti-spam policies in Office 365.

You can find the details on the specific advanced spam filtering options in Office 365 here:

http://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

Searching the Office 365 activity log for failed logins

Inside the Office 365 Security & Compliance center, under the Search & investigation menu option on the left you’ll find Audit log search as shown above.

To run a search simply provide a start and end date and select the Search button at the bottom of the screen. You can refine your search by selecting a list of different activities if you want but here we’ll leave the option set to Show results for all activities.

Once the search results are returned you’ll see lots and lots of items as shown above.

If you now select the Filter results button in the top right, each column will now display a box at the top that you can enter text into.

You can now go into the column headers and enter further filtering information. Here I have added the text ‘fail’ to the Activity column as shown. This produces two results for failed user logins.

Adding a filter now only shows the matches on the page.

You can also export the data into CSV file by selecting the Export results button next to the filter button.

You can either download everything in the audit logs (Download all results) or just your search query (Save loaded results). Here I have select the Save loaded results option.

This will then download a CSV file that you can open in Excel and will look like the above.

To make these easier to read you should convert the out to a table from the Insert tab and then select the Table icon.

Now that you have a table go to the top row of the Operations column and select the arrow to the right of this as shown. This will display the above menu. Uncheck the Select all option at the top of the list in the lower portion of the displayed dialog box.

Scroll down this same list and locate the UserLoginFailed option and select it.

This will now basically filter the whole tables of entries to only display those that have a match is UserLoginFailed in the operations column.

Which is exactly the result that you see obtained above and the same results we received from the console.

Thus, you can search the audit logs inside Office 365 directly from the portal but you can also export them to Excel to gain more power over how you wish to manipulate and report these events.