Forum Discussion
JVa
Dec 02, 2024Copper Contributor
Administrative activity from a non-corporate IP address
Hi,
Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies.
Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b>
Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives?
Matched policy is Administrative activity from a non-corporate IP address
and Alert Product is Microsoft Defender for Cloud Apps
~ Jukka ~
No RepliesBe the first to reply