Forum Discussion

siastolf's avatar
siastolf
MCT
Sep 18, 2023

Activity policies require conditional access

Hello, I need one clarification please. According to documentation:   Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enabl...
Keith_Fleming's avatar
Keith_Fleming
Icon for Microsoft rankMicrosoft
Sep 18, 2023

Hi siastolf, activities policies should trigger anytime the conditions are met, it does not require proxy.  Some activities may only be relevant for proxy so it can be helpful to double check the filters that were configured.

 

You can also do something similar with advanced hunting and custom detections on the CloudAppEvents table.

  • siastolf's avatar
    siastolf
    MCT
    Sep 18, 2023

    Hi Keith_Flemingthank you, I'm using a very simple policy, I took the existing template about the mass download by a single user:

     

    I basically removed any filter and limit the donwload to "2" in order to be very simple to start the alert.

    I tried also with different options. 

    So it must be triggered anytime a user download two files in less than one minute.

    The M365 connector works fine (it's green and I see other information comming from the connector)

    • Keith_Fleming's avatar
      Keith_Fleming
      Icon for Microsoft rankMicrosoft
      Sep 18, 2023

      siastolf got it, yes with that I would expect it to trigger if there are 2 download activities within 1 minute. If your not seeing this I would recommend opening a ticket so we can investigate it.

Resources