Forum Discussion

JVa's avatar
JVa
Copper Contributor
Dec 02, 2024

Administrative activity from a non-corporate IP address

Hi,

Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies.

Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b>

Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives?  

Matched policy is Administrative activity from a non-corporate IP address

and Alert Product is Microsoft Defender for Cloud Apps

~ Jukka ~

 

No RepliesBe the first to reply

Resources