Alert Policy for Mail.IsThreat

%3CLINGO-SUB%20id%3D%22lingo-sub-2187824%22%20slang%3D%22en-US%22%3EAlert%20Policy%20for%20Mail.IsThreat%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2187824%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20be%20able%20to%20trigger%20an%20Alert%20Policy%20in%20the%20event%20of%20an%20inbound%20message%20being%20detected%20as%20a%20Mail%20Threat.%26nbsp%3BI%20have%20created%20an%20New-ProtectionAlert%20object%20with%20the%20following%20-filter%20parameter%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Filter%20%22(Mail.IsThreat%20-eq%201)%20-and%20(Mail.Direction%20-eq%20'Inbound')%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20inbound%20message%20will%20be%20passed%20to%20a%20custom%20connector%20I%20have%20written%2C%20which%20will%20perform%20some%20policy%20checks%20and%20then%20return%20the%20message%20to%20Office365.%20If%20the%20policy%20is%20violated%2C%20I%20would%20like%20to%20add%20a%20property%3F%20message%20header%3F%20something%20else%3F%20that%20will%20set%20the%20Mail.IsThreat%20property%20to%201%20and%20hence%20trigger%20the%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20struggling%20to%20see%20how%2Fwhere%20the%20Mail.IsThreat%20is%20defined%20or%20if%20it%20can%20be%20defined%20outside%20of%20the%20standard%20M365%20Threat%20Protection%20features%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2187824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

I want to be able to trigger an Alert Policy in the event of an inbound message being detected as a Mail Threat. I have created an New-ProtectionAlert object with the following -filter parameter

 

-Filter "(Mail.IsThreat -eq 1) -and (Mail.Direction -eq 'Inbound')"

 

The inbound message will be passed to a custom connector I have written, which will perform some policy checks and then return the message to Office365. If the policy is violated, I would like to add a property? message header? something else? that will set the Mail.IsThreat property to 1 and hence trigger the alert.

 

I'm struggling to see how/where the Mail.IsThreat is defined or if it can be defined outside of the standard M365 Threat Protection features

0 Replies