Setup Alert when user creates a new inbox rule

Deleted
Not applicable

Hi,

 

I am looking for an way to setup a new Office 365 Alert that would send me an email when a user creates a new inbox rule.  I have looked at tech articles and have created them via manage alerts, but they don't seem to be working as I never get the email notification.

20 Replies
Do you receive any alert mails from other triggers?

I only have one other trigger that sends me an email when a user forwards their email to an outside email address. That one is working..(Email Alert 1.jpg)  But it seems they are configured in different area's of the office 365 admin. Please see my screenshots.

It should be through alert policy’s in the security and compliance center!

Adam

Thanks according to one of my users audit settings via PowerShell auditing is enabled.

 

PS C:\Users\User> Get-Mailbox "User"| FL Audit*


AuditEnabled : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditDelegate : {Update, MoveToDeletedItems, SoftDelete, HardDelete...}
AuditOwner : {UpdateFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation}

 

However I do not receive the email notification when an Inbox rules is updated, created or deleted for this user or any other user right now.

You should have such alert created by default, look for it in the SCC under Alert policies: https://protection.office.com/#/alertpolicies

SCCInboxRuleAlert.png

That rule (alerting me when someone forwards their email) I created (I had to do it manually) and it is working.  However a rule for creating or modifying Inbox Rules is not available from that screen when creating a new Alert.  Please see my posts above with the attachments.  Thanks.

Question, I have an alert setup that notify's me when a user logs in, and those are working although they seems to be delayed by several hours.  Just thinking, maybe it has to do with my Office 365 plan?  We are on Business Premium, or do I need an E3?  And can I buy one E3 license  just for me and then have that alert available?

Alerts are not real-time, changing the SKU wont help you with that. It will help you with the missing "templates" though, as some of those are targeted to the premium SKUs.

Just wanted to close the loop on this post.  My alerts are working all the sudden.  I do wish they were in real time however.

@Deleted Did you find a solution to the problem?   

 

We had a user whose password and account were compromised (we've enabled mandatory 2FA since!)  The attacker created an mailbox rule that deleted messages from the user's sent mail when the message contained certain words.  The attacker then sent email messages containing those words. 

 

I would like to know how to be alerted when a user creats any new mailbox rule, regardless of whether the message is forwarded to a different account.  

 

Do you know @VasilMichev or @adam deltinger ?

@adam deltinger Really appreciate the quick response.  Thanks.

 

So I see a rule for "Create mail forward/redirect rule" as an activity option, but I'm looking for a broader category: I want to know about any mail rule.

 

Hmm! Not sure about this! Have to looking deeper into this! @VasilMichev might know

@wrtrer  Yes I did.  I don't know how to navigate to the one alerts page.  But here is the link where you can setup a notification for an inbox fwd rule.   Its not realtime however.  Sometime I get the, 2-20 minutes after as rule is created.

 

https://protection.office.com/managealerts

 

 

@Deleted  There was a menu in Security Center under Alerts section - that menu was "Manage Advanced Alerts" but it's no longer there 

1.JPG

but you can still access it if you go directly to https://protection.office.com/managealerts. That's where you can create an alert you need. Click on "New Alert Policy". When creating an alert there for activity search for "New-InboxRule", you will find it there - see pictures from my setup.

2.JPG

 

 

Thanks much for the response, @WayneK ... I never got an alert when I set it up for myself.... do I need to list users individually?

 

My Rule ConfigurationMy Rule Configuration

@wrtrer not too sure but in your example you have three activities in your alert. I wonder if that makes them "And" and not "Or". Thus all three conditions have to be met to trigger the alert. 
Try to create three custom alerts - one for each of those "activities". Then log in to your own webmail, change or create a new inbox rule and see if you get the alert. I did it without putting individual users - I did it for all users but listed individual users to receive the alerts and alerts were going to all the admins that I entered. 

How were the test rules created? If the rules were created on the Outlook desktop client, the alerts won't be triggered. The alert is designed to monitor rules created in OWA.
Acitivty alerts are now accessed via https://security.microsoft.com/managealerts 
(Security/Microsoft Defender Admin Centre > Email & collaboration > Policies & rules > Activity Alerts)
Activitiy triggers include:
New-InboxRule Create inbox rule from Outlook Web App
Set-InboxRule Modify inbox rule from Outlook Web App
Update inbox rules from Outlook Client