SOLVED

Security & Compliance alerts not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1391813%22%20slang%3D%22en-US%22%3ESecurity%20%26amp%3B%20Compliance%20alerts%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391813%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStumbled%20accross%20two%20problems%20with%20Security%20%26amp%3B%20Compliance%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20is%20-%20I'm%20testing%20alert%20for%20forwarding%20%2F%20flow%20that%20forwards%20emails%20outside%20of%20the%20company%20-%20this%20seems%20to%20work%20with%20some%20big%20delay%2C%20and%20maybe%20it%20wouldn't%20be%20an%20issue%20however%20appeared%20that%20it%20only%20works%20for%20OWA%20created%20rules%20-%20not%20by%20the%20ones%20created%20in%20Outlook%20-%20is%20there%20a%20way%20to%20track%20such%20rules%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20thing%20is%20I've%20created%20rule%20that%20-%20in%20my%20understanding%20-%20set%20up%20a%20full%20access%20on%20a%20mailbox%20-%20activity%20%22Activity%20is%20AddMailboxPermission%22%2C%20but%20seems%20it%20doesn't%20work%2C%20I've%20set%20up%20these%20permissions%20on%20one%20user%20mailbox%20and%20one%20shared%20-%20and%20see%20nothing%20in%20the%20alerts%2C%20am%20I%20doping%20this%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20your%20help%2C%3C%2FP%3E%3CP%3EPawel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1391813%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPolicy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20and%20compliance%20alerts%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1395590%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20alerts%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1395590%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20alerts%20rely%20on%20events%20in%20the%20Unified%20audit%20log%2C%20which%20are%20nowhere%20near%20being%20real-time.%20In%20other%20words%20delays%20are%20expected.%20And%20yes%2C%20the%20%22forwarding%22%20alert%20only%20applies%20to%20specific%20types%20of%20forwarding%2C%20it%20doesn't%20cover%20all%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hey All,

 

Stumbled accross two problems with Security & Compliance alert.

 

One is - I'm testing alert for forwarding / flow that forwards emails outside of the company - this seems to work with some big delay, and maybe it wouldn't be an issue however appeared that it only works for OWA created rules - not by the ones created in Outlook - is there a way to track such rules as well in this portal?

 

Second thing is I've created rule that - in my understanding - set up a full access on a mailbox - activity "Activity is AddMailboxPermission", but seems it doesn't work, I've set up these permissions on one user mailbox and one shared - and see nothing in the alerts, am I doing this well?

 

While I was showing to my colleague it doesn;t work he added permissions to some mailbox and we've seen this action in alerts - so seems that there is a bigger delay than I thought for these policies to become effective.

 

My other concern is how this flow search works, as as of now I am not aware of any of the PS cmdlet giving me the exact mechanism of a flow, so not sure how MS covered that - I mean if it really works, as many things are given to prod and do not work as expected.

 

Disclaimer: I know how to track these in PowerShell - I wrote scripts already, however I would like to leverage mechanisms and alerting provided by MS for o365 rather than using custom solutions. However so far, seems I would need to have some runbooks as so far haven't found solutions for these.

 

Appreciate your help,

Pawel

 

1 Reply
Highlighted
Best Response confirmed by Pawel Jarosz (Occasional Contributor)
Solution

The alerts rely on events in the Unified audit log, which are nowhere near being real-time. In other words delays are expected. And yes, the "forwarding" alert only applies to specific types of forwarding, it doesn't cover all scenarios.