Forum Discussion
Create a Policy Alert for any Upload Seen to Gmail
Hi,
I would like to create a policy in MCAS so that any upload that is seen to Gmail immediately raises an alert.
We have Gmail tagged as Unsanctioned and blocked to all users but I can also see that some users still have access to this, so I wat to create a policy that can find any activity for this and alert me until the gap can be closed completely.
The one below is close (as well as the Unsanctioned tag on Gmail, I have also added the tag 'Gmail') however, I can find a way to create a policy that looks for any Upload to Gmail (I can't find a policy that has the App Tag option as well as the Activity Type option for Upload and then set my threshold) of any size that is seen in our estate. This should be a rare occurrence if at all, but I need to make sure that I have alerting in place should this ever happen and they weren't blocked by the Unsantioned app rule.
If this isn't possible in MCAS itself, does anyone have a KQL query for this that I can use in Advanced Hunting and create a rule from that to create alerts?
- Keith_FlemingMicrosoft
Brok3NSpear this is actually the expected behavior. When you look at discovery policies, these are regarding data coming from endpoints or appliances.
Activities are based on the data coming from app connectors.
In this case it sounds like what you would like to see is a way to get the audit activities from apps that aren't connected or that are just being accessed via the browser?
- Brok3NSpearBrass Contributor
Keith_Fleming wrote:Brok3NSpear this is actually the expected behavior. When you look at discovery policies, these are regarding data coming from endpoints or appliances.
Activities are based on the data coming from app connectors.
In this case it sounds like what you would like to see is a way to get the audit activities from apps that aren't connected or that are just being accessed via the browser?
Correct, is there an audit process available for this that I can use? I have been trying to find a way to do this via KQL, but no joy from my limited use of KQL.
Apologies for the late response as well.