SOLVED

Security & Compliance alerts not working

%3CLINGO-SUB%20id%3D%22lingo-sub-1395590%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20%26amp%3B%20Compliance%20alerts%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1395590%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20alerts%20rely%20on%20events%20in%20the%20Unified%20audit%20log%2C%20which%20are%20nowhere%20near%20being%20real-time.%20In%20other%20words%20delays%20are%20expected.%20And%20yes%2C%20the%20%22forwarding%22%20alert%20only%20applies%20to%20specific%20types%20of%20forwarding%2C%20it%20doesn't%20cover%20all%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391813%22%20slang%3D%22en-US%22%3ESecurity%20%26amp%3B%20Compliance%20alerts%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391813%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStumbled%20accross%20two%20problems%20with%20Security%20%26amp%3B%20Compliance%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20is%20-%20I'm%20testing%20alert%20for%20forwarding%20%2F%20flow%20that%20forwards%20emails%20outside%20of%20the%20company%20-%20this%20seems%20to%20work%20with%20some%20big%20delay%2C%20and%20maybe%20it%20wouldn't%20be%20an%20issue%20however%20appeared%20that%20it%20only%20works%20for%20OWA%20created%20rules%20-%20not%20by%20the%20ones%20created%20in%20Outlook%20-%20is%20there%20a%20way%20to%20track%20such%20rules%20as%20well%20in%20this%20portal%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRIKE%3ESecond%20thing%20is%20I've%20created%20rule%20that%20-%20in%20my%20understanding%20-%20set%20up%20a%20full%20access%20on%20a%20mailbox%20-%20activity%20%22Activity%20is%20AddMailboxPermission%22%2C%20but%20seems%20it%20doesn't%20work%2C%20I've%20set%20up%20these%20permissions%20on%20one%20user%20mailbox%20and%20one%20shared%20-%20and%20see%20nothing%20in%20the%20alerts%2C%20am%20I%20doing%20this%20well%3F%3C%2FSTRIKE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20I%20was%20showing%20to%20my%20colleague%20it%20doesn%3Bt%20work%20he%20added%20permissions%20to%20some%20mailbox%20and%20we've%20seen%20this%20action%20in%20alerts%20-%20so%20seems%20that%20there%20is%20a%20bigger%20delay%20than%20I%20thought%20for%20these%20policies%20to%20become%20effective.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20other%20concern%20is%20how%20this%20flow%20search%20works%2C%20as%20as%20of%20now%20I%20am%20not%20aware%20of%20any%20of%20the%20PS%20cmdlet%20giving%20me%20the%20exact%20mechanism%20of%20a%20flow%2C%20so%20not%20sure%20how%20MS%20covered%20that%20-%20I%20mean%20if%20it%20really%20works%2C%20as%20many%20things%20are%20given%20to%20prod%20and%20do%20not%20work%20as%20expected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDisclaimer%3A%20I%20know%20how%20to%20track%20these%20in%20PowerShell%20-%20I%20wrote%20scripts%20already%2C%20however%20I%20would%20like%20to%20leverage%20mechanisms%20and%20alerting%20provided%20by%20MS%20for%20o365%20rather%20than%20using%20custom%20solutions.%20However%20so%20far%2C%20seems%20I%20would%20need%20to%20have%20some%20runbooks%20as%20so%20far%20haven't%20found%20solutions%20for%20these.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20your%20help%2C%3C%2FP%3E%3CP%3EPawel%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1391813%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hey All,

 

Stumbled accross two problems with Security & Compliance alert.

 

One is - I'm testing alert for forwarding / flow that forwards emails outside of the company - this seems to work with some big delay, and maybe it wouldn't be an issue however appeared that it only works for OWA created rules - not by the ones created in Outlook - is there a way to track such rules as well in this portal?

 

Second thing is I've created rule that - in my understanding - set up a full access on a mailbox - activity "Activity is AddMailboxPermission", but seems it doesn't work, I've set up these permissions on one user mailbox and one shared - and see nothing in the alerts, am I doing this well?

 

While I was showing to my colleague it doesn;t work he added permissions to some mailbox and we've seen this action in alerts - so seems that there is a bigger delay than I thought for these policies to become effective.

 

My other concern is how this flow search works, as as of now I am not aware of any of the PS cmdlet giving me the exact mechanism of a flow, so not sure how MS covered that - I mean if it really works, as many things are given to prod and do not work as expected.

 

Disclaimer: I know how to track these in PowerShell - I wrote scripts already, however I would like to leverage mechanisms and alerting provided by MS for o365 rather than using custom solutions. However so far, seems I would need to have some runbooks as so far haven't found solutions for these.

 

Appreciate your help,

Pawel

 

1 Reply
Best Response confirmed by Pawel Jarosz (Occasional Contributor)
Solution

The alerts rely on events in the Unified audit log, which are nowhere near being real-time. In other words delays are expected. And yes, the "forwarding" alert only applies to specific types of forwarding, it doesn't cover all scenarios.