Forum Discussion
"Unusual volume of file deletion" Policy and Thumbs.db
VasilMichev .. Noticed the same issue when I created a condition to rule out a user "NT AUTHORITY\SYSTEM" when granting mailbox permissions. It too shows as an equal while I have "User is None of These". Weird.
Thanks for catching the syntax. I changed it to filename instead of extension. Will see if that works now.
Microsoft seems to have abandoned these rules. I reported over a year ago certain criteria should not get flagged. For example, the granting permissions. I do not know what exactly is setting off the alert, but every week, I get at least one that "NT AUTHORITY\SYSTEM" has added permissions to a mailbox. This has been going on since they enabled alerts and yet to this day, I still get the alert. I am hoping that adding the none of these to the alert, it will stop. I still want to know when someone grants permissions as that can be a sign of a hacker.
Looks like a display issue. But not sure the rule will work, as it's expecting a file *extension*, not the full file name.
VasilMichev .. Noticed the same issue when I created a condition to rule out a user "NT AUTHORITY\SYSTEM" when granting mailbox permissions. It too shows as an equal while I have "User is None of These". Weird.
Thanks for catching the syntax. I changed it to filename instead of extension. Will see if that works now.
Microsoft seems to have abandoned these rules. I reported over a year ago certain criteria should not get flagged. For example, the granting permissions. I do not know what exactly is setting off the alert, but every week, I get at least one that "NT AUTHORITY\SYSTEM" has added permissions to a mailbox. This has been going on since they enabled alerts and yet to this day, I still get the alert. I am hoping that adding the none of these to the alert, it will stop. I still want to know when someone grants permissions as that can be a sign of a hacker.