Activity Policy for Sending email to personal Email address

%3CLINGO-SUB%20id%3D%22lingo-sub-1601827%22%20slang%3D%22en-US%22%3EActivity%20Policy%20for%20Sending%20email%20to%20personal%20Email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601827%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20create%20a%20policy%20to%20generate%20an%20alert%20if%20anyone%20sends%20an%20email%20to%20the%20personal%20email%20address%20based%20on%20UPN%20suffix%20or%20Location.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A-%20User%20location%20is%20from%20United%20Kingdome%2C%20South%20Africa%2C%20and%20India%20or%20UPN%20suffix%20is%20xyz.com%2C%20abc.com%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20the%20policy%20based%20on%20the%20Investigation%20Log%20search%20but%20the%20policy%20is%20getting%20triggered%2C%20however%2C%20i%20am%20able%20to%20see%20the%20correct%20output%20through%20the%20same%20investigation%20search.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GPD_MicWorld_0-1597939030517.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213481i23CD645A89DD89A3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22GPD_MicWorld_0-1597939030517.png%22%20alt%3D%22GPD_MicWorld_0-1597939030517.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20suggest%20anything%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1601827%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602449%22%20slang%3D%22en-US%22%3ERe%3A%20Activity%20Policy%20for%20Sending%20email%20to%20personal%20Email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602449%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F765953%22%20target%3D%22_blank%22%3E%40GPD_MicWorld%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20so%20just%20to%20be%20clear%20-%20are%20you%20saying%20that%20the%20policy%20is%20not%20being%20triggered%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20so%2C%20how%20long%20ago%20did%20you%20create%20the%20policy%3F%26nbsp%3B%20It%20can%20be%20known%20for%20MCAS%20policies%20to%20take%20up%20to%2024%20hours%20to%20take%20effect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602478%22%20slang%3D%22en-US%22%3ERe%3A%20Activity%20Policy%20for%20Sending%20email%20to%20personal%20Email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602478%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616707%22%20target%3D%22_blank%22%3E%40PeterRising%3C%2FA%3E%26nbsp%3BThanks%20for%20responding%20to%20post%2C%20Yes%20I%20would%20say%20it's%20not%20been%20triggered%20or%20the%20filters%20I%20used%20to%20create%20the%20policy%20not%20correct%20to%20trigger%20the%20policy%20to%20generate%20the%20alerts%20for%20the%20type%20of%20activity%20I%20am%20looking%20for.%20I%20guess%20it's%20already%20been%20more%20than%204%20days%20when%20I%20created%20the%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603683%22%20slang%3D%22en-US%22%3ERe%3A%20Activity%20Policy%20for%20Sending%20email%20to%20personal%20Email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603683%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F765953%22%20target%3D%22_blank%22%3E%40GPD_MicWorld%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOK%2C%20I'm%20trying%20this%20in%20my%20own%20tenant%20to%20see%20what%20results%20I%20get.%26nbsp%3B%20I'll%20let%20you%20know%20what%20I%20find%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I want to create a policy to generate an alert if anyone sends an email to the personal email address based on UPN suffix or Location.

 

Example:- User location is from United Kingdome, South Africa, and India or UPN suffix is xyz.com, abc.com

 

I created the policy based on the Investigation Log search but the policy is getting triggered, however, i am able to see the correct output through the same investigation search.

 

GPD_MicWorld_0-1597939030517.png

 

Please suggest anything

  

3 Replies
Highlighted

@GPD_MicWorld 

 

Hi, so just to be clear - are you saying that the policy is not being triggered?

 

If so, how long ago did you create the policy?  It can be known for MCAS policies to take up to 24 hours to take effect.

Highlighted

@PeterRising Thanks for responding to post, Yes I would say it's not been triggered or the filters I used to create the policy not correct to trigger the policy to generate the alerts for the type of activity I am looking for. I guess it's already been more than 4 days when I created the policy.

 

 

Highlighted

@GPD_MicWorld 

 

OK, I'm trying this in my own tenant to see what results I get.  I'll let you know what I find out.