Comments (7)
gdasher
commented on May 24, 2024
Thanks for the bug report. In order to make this a bit more actionable for us, would you be willing to provide some information about your configuration (e.g. its a test tenant)? Its hard to debug this particular issue without this information, but we understand that sometimes there is some sensitive information that isn't appropriate to share publicly. In particular, two things would help:
-
a picture of the relevant report output for the controls that are not behaving as expected
-
snippets of the "ProviderSettingsExport.json" corresponding to these policies. I've included the information below that the policies are based on. If you are comfortable sharing bits of your config, you'll want to make sure you redact anything from the JSON you consider sensitive.
Note that the defender policies require custom rulesets configured in a specific way and applying to all domains as we erred on the side of a more conservative policy here than the defaults.
Bits of "ProviderSettingsExport.json
Defender 2.7
"ProviderSettingsExport.json"
"safe_links_policies" and "safe_links_rules"
Defender 2.8
"safe_attachment_policies" and "safe_attachment_rules"
Defender 2.9
"protection_alerts"
Sharepoint 2.5
The value of "DenyAddAndCustomizePages" under "spo_site"
from scubagear.
tylermontneyacc
commented on May 24, 2024
Also, where can I ask general questions about the report? Specifically, pertaining to the CISA guidline.
Screenshots
Snippets
Defender 2.7
"safe_links_policies": [
{
"EnableSafeLinksForEmail": true,
"EnableSafeLinksForTeams": true,
"EnableSafeLinksForOffice": true,
"TrackClicks": true,
"AllowClickThrough": false,
"ScanUrls": true,
"EnableForInternalSenders": true,
"DeliverMessageAfterScan": true,
"DisableUrlRewrite": false,
"DoNotRewriteUrls": [],
"AdminDisplayName": "",
"CustomNotificationText": "",
"LocalizedNotificationTextList": [],
"EnableOrganizationBranding": false,
"RecommendedPolicyType": "Standard",
"IsBuiltInProtection": false,
"Identity": "Standard Preset Security Policy1658242520038",
"Id": "Standard Preset Security Policy1658242520038",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Standard Preset Security Policy1658242520038",
"DistinguishedName": "CN=Standard Preset Security Policy1658242520038,CN=Safe Links,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Smart-Links-Protection-Config",
"ObjectClass": [
"top",
"msExchSmartLinksProtectionConfig"
],
"WhenChanged": "/Date(1658242542000)/",
"WhenCreated": "/Date(1658242520000)/",
"WhenChangedUTC": "/Date(1658242542000)/",
"WhenCreatedUTC": "/Date(1658242520000)/",
"ExchangeObjectId": "9d6f886c-54d1-497f-8520-bd56d6dcd38e",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Guid": "9d6f886c-54d1-497f-8520-bd56d6dcd38e",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"ObjectState": "Unchanged"
},
{
"EnableSafeLinksForEmail": true,
"EnableSafeLinksForTeams": true,
"EnableSafeLinksForOffice": true,
"TrackClicks": true,
"AllowClickThrough": true,
"ScanUrls": true,
"EnableForInternalSenders": false,
"DeliverMessageAfterScan": true,
"DisableUrlRewrite": true,
"DoNotRewriteUrls": [],
"AdminDisplayName": "",
"CustomNotificationText": "",
"LocalizedNotificationTextList": [],
"EnableOrganizationBranding": false,
"RecommendedPolicyType": "Custom",
"IsBuiltInProtection": true,
"Identity": "Built-In Protection Policy",
"Id": "Built-In Protection Policy",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Built-In Protection Policy",
"DistinguishedName": "CN=Built-In Protection Policy,CN=Safe Links,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Smart-Links-Protection-Config",
"ObjectClass": [
"top",
"msExchSmartLinksProtectionConfig"
],
"WhenChanged": "/Date(1659683944000)/",
"WhenCreated": "/Date(1643182959000)/",
"WhenChangedUTC": "/Date(1659683944000)/",
"WhenCreatedUTC": "/Date(1643182959000)/",
"ExchangeObjectId": "4e2f45fe-aa4d-4822-bacf-1ac67a0c5431",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Guid": "4e2f45fe-aa4d-4822-bacf-1ac67a0c5431",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"ObjectState": "Unchanged"
},
{
"EnableSafeLinksForEmail": true,
"EnableSafeLinksForTeams": true,
"EnableSafeLinksForOffice": true,
"TrackClicks": true,
"AllowClickThrough": false,
"ScanUrls": true,
"EnableForInternalSenders": true,
"DeliverMessageAfterScan": true,
"DisableUrlRewrite": false,
"DoNotRewriteUrls": [],
"AdminDisplayName": "Per CISA 'Microsoft 365 Minimum Viable Secure Configuration Baseline', section 2.7.",
"CustomNotificationText": "",
"LocalizedNotificationTextList": [],
"EnableOrganizationBranding": false,
"RecommendedPolicyType": "Custom",
"IsBuiltInProtection": false,
"Identity": "Recommended safe links policy",
"Id": "Recommended safe links policy",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Recommended safe links policy",
"DistinguishedName": "CN=Recommended safe links policy,CN=Safe Links,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Smart-Links-Protection-Config",
"ObjectClass": [
"top",
"msExchSmartLinksProtectionConfig"
],
"WhenChanged": "/Date(1666817150000)/",
"WhenCreated": "/Date(1624638490000)/",
"WhenChangedUTC": "/Date(1666817150000)/",
"WhenCreatedUTC": "/Date(1624638490000)/",
"ExchangeObjectId": "230356b3-af8c-4b5d-99e0-9c69234a4d9c",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Guid": "230356b3-af8c-4b5d-99e0-9c69234a4d9c",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"ObjectState": "Unchanged"
}
]
"safe_links_rules": [
{
"SafeLinksPolicy": "Recommended safe links policy",
"State": "Enabled",
"Priority": 0,
"Comments": null,
"Description": "If the message:rntrecipientsu0027s address domain portion belongs to any of these domains: u0027contoso.comu0027 or u0027otherdomain.comu0027 or u0027contoso.onmicrosoft.comu0027 or u0027contoso.mail.onmicrosoft.comu0027rnTake the following actions:rntApply safe links policy 'Recommended safe links policy'.rn",
"RuleVersion": {
"Major": 15,
"Minor": 0,
"Build": 5,
"Revision": 2,
"MajorRevision": 0,
"MinorRevision": 2
},
"SentTo": null,
"SentToMemberOf": null,
"RecipientDomainIs": [
"contoso.com",
"otherdomain.com",
"contoso.onmicrosoft.com",
"contoso.mail.onmicrosoft.com"
],
"ExceptIfSentTo": null,
"ExceptIfSentToMemberOf": null,
"ExceptIfRecipientDomainIs": null,
"Conditions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.RecipientDomainIsPredicate"
],
"Exceptions": null,
"Identity": "Recommended safe links rule",
"DistinguishedName": "CN=Recommended safe links rule,CN=SafeLinksVersioned,CN=Rules,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"Guid": "ce8c5412-b0ae-4a77-aa1d-e81cbf7db500",
"ImmutableId": "ce8c5412-b0ae-4a77-aa1d-e81cbf7db500",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Name": "Recommended safe links rule",
"IsValid": true,
"WhenChanged": "/Date(1667503492000)/",
"ExchangeVersion": "0.1 (8.0.535.0)",
"ObjectState": "Unchanged"
}Defender 2.8
"safe_attachment_policies": [
{
"RedirectAddress": "",
"Redirect": false,
"Action": "Block",
"ScanTimeout": 30,
"ConfidenceLevelThreshold": 80,
"OperationMode": "Delay",
"Enable": true,
"ActionOnError": true,
"RecommendedPolicyType": "Standard",
"IsBuiltInProtection": false,
"IsDefault": false,
"AdminDisplayName": "",
"QuarantineTag": "AdminOnlyAccessPolicy",
"EnableOrganizationBranding": false,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Standard Preset Security Policy1658242519029",
"DistinguishedName": "CN=Standard Preset Security Policy1658242519029,CN=Safe Attachment,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"Identity": "Standard Preset Security Policy1658242519029",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Safe-Attachment-Protection-Config",
"ObjectClass": [
"top",
"msExchSafeAttachmentProtectionConfig"
],
"WhenChanged": "/Date(1658242530000)/",
"WhenCreated": "/Date(1658242519000)/",
"WhenChangedUTC": "/Date(1658242530000)/",
"WhenCreatedUTC": "/Date(1658242519000)/",
"ExchangeObjectId": "41e581e8-838c-4217-819f-765c14cc4514",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Id": "Standard Preset Security Policy1658242519029",
"Guid": "41e581e8-838c-4217-819f-765c14cc4514",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"IsValid": true,
"ObjectState": "Unchanged"
},
{
"RedirectAddress": "",
"Redirect": false,
"Action": "Block",
"ScanTimeout": 30,
"ConfidenceLevelThreshold": 80,
"OperationMode": "Delay",
"Enable": true,
"ActionOnError": true,
"RecommendedPolicyType": "Custom",
"IsBuiltInProtection": true,
"IsDefault": false,
"AdminDisplayName": "",
"QuarantineTag": "AdminOnlyAccessPolicy",
"EnableOrganizationBranding": false,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Built-In Protection Policy",
"DistinguishedName": "CN=Built-In Protection Policy,CN=Safe Attachment,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"Identity": "Built-In Protection Policy",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Safe-Attachment-Protection-Config",
"ObjectClass": [
"top",
"msExchSafeAttachmentProtectionConfig"
],
"WhenChanged": "/Date(1643182977000)/",
"WhenCreated": "/Date(1643182960000)/",
"WhenChangedUTC": "/Date(1643182977000)/",
"WhenCreatedUTC": "/Date(1643182960000)/",
"ExchangeObjectId": "422a021b-bffd-4fa8-9c9d-f005fd529205",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Id": "Built-In Protection Policy",
"Guid": "422a021b-bffd-4fa8-9c9d-f005fd529205",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"IsValid": true,
"ObjectState": "Unchanged"
},
{
"RedirectAddress": "",
"Redirect": false,
"Action": "Block",
"ScanTimeout": 30,
"ConfidenceLevelThreshold": 80,
"OperationMode": "Delay",
"Enable": true,
"ActionOnError": true,
"RecommendedPolicyType": "Custom",
"IsBuiltInProtection": false,
"IsDefault": false,
"AdminDisplayName": "Per CISA 'Microsoft 365 Minimum Viable Secure Configuration Baseline', section 2.8",
"QuarantineTag": "AdminOnlyAccessPolicy",
"EnableOrganizationBranding": false,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Recommended safe attachments policy",
"DistinguishedName": "CN=Recommended safe attachments policy,CN=Safe Attachment,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"Identity": "Recommended safe attachments policy",
"ObjectCategory": "ABCDE123456.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Safe-Attachment-Protection-Config",
"ObjectClass": [
"top",
"msExchSafeAttachmentProtectionConfig"
],
"WhenChanged": "/Date(1666817344000)/",
"WhenCreated": "/Date(1624638491000)/",
"WhenChangedUTC": "/Date(1666817344000)/",
"WhenCreatedUTC": "/Date(1624638491000)/",
"ExchangeObjectId": "971000ba-0d44-4524-8082-fa11caf062ea",
"OrganizationalUnitRoot": "contoso.onmicrosoft.com",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Id": "Recommended safe attachments policy",
"Guid": "971000ba-0d44-4524-8082-fa11caf062ea",
"OriginatingServer": "FFFFFF000000.ABCDE123456.PROD.OUTLOOK.COM",
"IsValid": true,
"ObjectState": "Unchanged"
}
],
"safe_attachment_rules": [
{
"SafeAttachmentPolicy": "Recommended safe attachments policy",
"State": "Enabled",
"Priority": 0,
"Comments": null,
"Description": "If the message:rntrecipientsu0027s address domain portion belongs to any of these domains: u0027contoso.comu0027 or u0027otherdomain.comu0027 or u0027contoso.mail.onmicrosoft.comu0027 or u0027contoso.onmicrosoft.comu0027rnTake the following actions:rntApply safe attachment policy 'Recommended safe attachments policy'.rn",
"RuleVersion": {
"Major": 15,
"Minor": 0,
"Build": 5,
"Revision": 2,
"MajorRevision": 0,
"MinorRevision": 2
},
"SentTo": null,
"SentToMemberOf": null,
"RecipientDomainIs": [
"contoso.com",
"otherdomain.com",
"contoso.mail.onmicrosoft.com",
"contoso.onmicrosoft.com"
],
"ExceptIfSentTo": null,
"ExceptIfSentToMemberOf": null,
"ExceptIfRecipientDomainIs": null,
"Conditions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.RecipientDomainIsPredicate"
],
"Exceptions": null,
"Identity": "Recommended safe attachments rule",
"DistinguishedName": "CN=Recommended safe attachments rule,CN=SafeAttachmentVersioned,CN=Rules,CN=Transport Settings,CN=Configuration,CN=contoso.onmicrosoft.com,CN=ConfigurationUnits,DC=ABCDE123456,DC=PROD,DC=OUTLOOK,DC=COM",
"Guid": "bf56dcd0-1401-4390-9b0d-25bc84f7097e",
"ImmutableId": "bf56dcd0-1401-4390-9b0d-25bc84f7097e",
"OrganizationId": "ABCDE123456.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - ABCDE123456.PROD.OUTLOOK.COM/ConfigurationUnits/contoso.onmicrosoft.com/Configuration",
"Name": "Recommended safe attachments rule",
"IsValid": true,
"WhenChanged": "/Date(1666817380000)/",
"ExchangeVersion": "0.1 (8.0.535.0)",
"ObjectState": "Unchanged"
}
]Defender 2.9
"protection_alerts": [
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"DlpRuleGenerateAlertMatch"
],
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": {
"DlpRuleId": "a7a1e2e0-e272-4a72-9c39-14ab2a68837e"
},
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "DataLossPrevention",
"IsSystemRule": false,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "30b5e805-a65d-45d7-a499-b0ffcfabb394",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "862d58f3-2e5c-469e-b612-a4780abbcc1c",
"Comment": "",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "6eb84c16-b596-41e6-ec0f-08dab78bb8f0",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "30b5e805-a65d-45d7-a499-b0ffcfabb394",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/Configuration/DLP-High volume of content detected U.S. Gramm-Leach-Bl-a7a1e2e0",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/Configuration/DLP-High volume of content detected U.S. Gramm-Leach-Bl-a7a1e2e0",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "DLP-High volume of content detected U.S. Gramm-Leach-Bl-a7a1e2e0",
"DistinguishedName": "CN=DLP-High volume of content detected U.S. Gramm-Leach-Bl-a7a1e2e0,CN=Configuration,CN=contoso.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1666813995000)/",
"WhenCreated": "/Date(1666813912000)/",
"WhenChangedUTC": "/Date(1666813995000)/",
"WhenCreatedUTC": "/Date(1666813912000)/",
"ExchangeObjectId": "30b5e805-a65d-45d7-a499-b0ffcfabb394",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"MipAutoLabelSimulationCompletion"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Low",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "dac59cbc-1d3b-4f5e-91e0-02d780c53915",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "dac59cbc-1d3b-4f5e-91e0-02d780c53915",
"Comment": "AutoLabel policy simulation has been completed. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "5c9f6442-acd3-41f6-d12d-08d8e5dc6477",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "dac59cbc-1d3b-4f5e-91e0-02d780c53915",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/MIP AutoLabel simulation completed",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/MIP AutoLabel simulation completed",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "MIP AutoLabel simulation completed",
"DistinguishedName": "CN=MIP AutoLabel simulation completed,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1615611401000)/",
"WhenCreated": "/Date(1615611401000)/",
"WhenChangedUTC": "/Date(1615611401000)/",
"WhenCreatedUTC": "/Date(1615611401000)/",
"ExchangeObjectId": "dac59cbc-1d3b-4f5e-91e0-02d780c53915",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "-not (Activity.User.Tags -like u0027hveu0027)",
"Operation": [
"CompromisedWarningAccount"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "be215649-fba8-4339-9ddd-05991a43b948",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "105a3254-0eca-4a3d-8686-a66115a99235",
"Comment": "User has been detected as sending suspicious messages outside the organization and will be restricted if this activity continues. -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "598b2fa8-af1a-478c-7765-08d7af1eb9de",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "be215649-fba8-4339-9ddd-05991a43b948",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious email sending patterns detected",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious email sending patterns detected",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Suspicious email sending patterns detected",
"DistinguishedName": "CN=Suspicious email sending patterns detected,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1581445079000)/",
"WhenCreated": "/Date(1556152140000)/",
"WhenChangedUTC": "/Date(1581445079000)/",
"WhenCreatedUTC": "/Date(1556152140000)/",
"ExchangeObjectId": "be215649-fba8-4339-9ddd-05991a43b948",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.IsMailZAPSuccessful -eq 1) -and (Mail.IsGenericZapped -eq 1) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027PhishEduu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027SecOpsu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027ThirdPartyFilteringu0027)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malicious",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "b8f6b088-5487-4c70-037c-08d8d71a43fe",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "a1f563cc-fb1f-466b-1fb5-08d8d71a3050",
"Comment": "Malicious emails were delivered and later removed -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "97adcca2-ed7d-4346-a0f7-08da1c763fff",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "b8f6b088-5487-4c70-037c-08d8d71a43fe",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages removed after delivery?",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages removed after delivery?",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages removed after delivery?",
"DistinguishedName": "CN=Email messages removed after delivery?,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1649762343000)/",
"WhenCreated": "/Date(1620179177000)/",
"WhenChangedUTC": "/Date(1649762343000)/",
"WhenCreatedUTC": "/Date(1620179177000)/",
"ExchangeObjectId": "b8f6b088-5487-4c70-037c-08d8d71a43fe",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.IsMailZAPSuccessful -eq 1) -and Mail.IsCampaignZapped -eq 1 -and (Mail.TenantPolicyFinalVerdictSource -ne u0027PhishEduu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027SecOpsu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027ThirdPartyFilteringu0027)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malicious",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "c8522cbb-9368-4e25-4ee9-08d8d899dfab",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "ef850570-5624-42b2-ff0a-08d8d899d578",
"Comment": "Emails messages from a campaign were delivered and later removed -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "f828bc4b-2068-4ffc-a945-08da1c7640ad",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "c8522cbb-9368-4e25-4ee9-08d8d899dfab",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages from a campaign removed after delivery?",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages from a campaign removed after delivery?",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages from a campaign removed after delivery?",
"DistinguishedName": "CN=Email messages from a campaign removed after delivery?,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1649762344000)/",
"WhenCreated": "/Date(1620179178000)/",
"WhenChangedUTC": "/Date(1649762344000)/",
"WhenCreatedUTC": "/Date(1620179178000)/",
"ExchangeObjectId": "c8522cbb-9368-4e25-4ee9-08d8d899dfab",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Activity.AirItemType -eq u0027Useru0027",
"Operation": [
"AirManualInvestigation"
],
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "845686e4-f843-42cf-36d7-08d8e2eca19c",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "fbb0585f-318a-4e26-eec9-08d8e2ec980c",
"Comment": "This alert is triggered because an admin triggered investigation of a user -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "163c9706-35dc-481b-13f7-08d956637e92",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "845686e4-f843-42cf-36d7-08d8e2eca19c",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin triggered user compromise investigation",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin triggered user compromise investigation",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Admin triggered user compromise investigation",
"DistinguishedName": "CN=Admin triggered user compromise investigation,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1627983957000)/",
"WhenCreated": "/Date(1627983957000)/",
"WhenChangedUTC": "/Date(1627983957000)/",
"WhenCreatedUTC": "/Date(1627983957000)/",
"ExchangeObjectId": "845686e4-f843-42cf-36d7-08d8e2eca19c",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Click.IsSystemBlockOverriden -eq 1) -or (Click.IsTenantBlockOverriden -eq 1)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "None",
"ThreatType": "MaliciousUrlClick",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "MaliciousUrlClick",
"Scenario": "MaliciousUrlClick",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "5453b67e-6c81-4a46-b96c-08d97b58d4ac",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "e7fec753-4e4b-491c-2152-08d97b58ad34",
"Comment": "We have detected that one of your users has recently clicked through on a link that was found to be malicious. -V1.0.0.3",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "5cedf492-1955-4eea-47ed-08da43227592",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "5453b67e-6c81-4a46-b96c-08d97b58d4ac",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/A user clicked through to a potentially malicious URL?",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/A user clicked through to a potentially malicious URL?",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "A user clicked through to a potentially malicious URL?",
"DistinguishedName": "CN=A user clicked through to a potentially malicious URL?,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1654014450000)/",
"WhenCreated": "/Date(1654014450000)/",
"WhenChangedUTC": "/Date(1654014450000)/",
"WhenCreatedUTC": "/Date(1654014450000)/",
"ExchangeObjectId": "5453b67e-6c81-4a46-b96c-08d97b58d4ac",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"ConnectorAbuse"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "8bb9c6c8-dc12-40e1-5bb8-08da05b13393",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "d1de9ca1-fcd8-4ce1-f041-08da05b11773",
"Comment": "Connector has been restricted from sending messages due to potential compromise activity. -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "6a6aea10-0f23-4229-6cbc-08da32acf7b8",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "8bb9c6c8-dc12-40e1-5bb8-08da05b13393",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious connector activity",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious connector activity",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Suspicious connector activity",
"DistinguishedName": "CN=Suspicious connector activity,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1652204769000)/",
"WhenCreated": "/Date(1652204769000)/",
"WhenChangedUTC": "/Date(1652204769000)/",
"WhenCreatedUTC": "/Date(1652204769000)/",
"ExchangeObjectId": "8bb9c6c8-dc12-40e1-5bb8-08da05b13393",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"UploadDataCompleted"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Low",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "55272906-f9a5-4adf-9395-0abeec18aee1",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "8d58b459-63cd-4b73-aca0-f24ed896f018",
"Comment": "New sensitive information was uploaded and is ready to be protected. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "2357746e-4b38-4919-4e34-08d8d2b1149f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "55272906-f9a5-4adf-9395-0abeec18aee1",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Successful exact data match upload",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Successful exact data match upload",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Successful exact data match upload",
"DistinguishedName": "CN=Successful exact data match upload,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1613503727000)/",
"WhenCreated": "/Date(1613503727000)/",
"WhenChangedUTC": "/Date(1613503727000)/",
"WhenCreatedUTC": "/Date(1613503727000)/",
"ExchangeObjectId": "55272906-f9a5-4adf-9395-0abeec18aee1",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "((Mail.DeliveryStatus -eq u0027Deliveredu0027) -or (Mail.DeliveryStatus -eq u0027DeliveredAsSpamu0027)) -and (Mail.Direction -eq u0027Inboundu0027)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Phish",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "89adaf70-828a-4951-92ac-0de02a67d441",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "6fefbe63-d3a4-4a58-993f-56fb7a3cabaf",
"Comment": "Office 365 detected a phishing email delivered to users in your organization. Investigate and remediate using an Incident in the Security and Compliance center. -V1.0.0.1",
"Disabled": true,
"Mode": "PendingDeletion",
"ObjectVersion": "cb7c2480-c3dd-477e-50e7-08d5c0f10497",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "89adaf70-828a-4951-92ac-0de02a67d441",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phishing email detected after delivery",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phishing email detected after delivery",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Phishing email detected after delivery",
"DistinguishedName": "CN=Phishing email detected after delivery,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1527109574000)/",
"WhenCreated": "/Date(1527108025000)/",
"WhenChangedUTC": "/Date(1527109574000)/",
"WhenCreatedUTC": "/Date(1527108025000)/",
"ExchangeObjectId": "89adaf70-828a-4951-92ac-0de02a67d441",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"GrantAdminPermission"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Low",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "AccessGovernance",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "17d51759-88e1-40c1-8df3-20bcf2e43057",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "ae6108c1-8814-4a00-bf93-22396aad4bd8",
"Comment": "This alert is triggered when someone in your organization becomes an Exchange admin or gets new Exchange admin permissions -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "642e6369-dfcd-4578-95a4-08d654fdcd07",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "17d51759-88e1-40c1-8df3-20bcf2e43057",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Elevation of Exchange admin privilege",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Elevation of Exchange admin privilege",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Elevation of Exchange admin privilege",
"DistinguishedName": "CN=Elevation of Exchange admin privilege,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1543387836000)/",
"WhenCreated": "/Date(1492488890000)/",
"WhenChangedUTC": "/Date(1543387836000)/",
"WhenCreatedUTC": "/Date(1492488890000)/",
"ExchangeObjectId": "17d51759-88e1-40c1-8df3-20bcf2e43057",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Mail.IsSystemZappedMalware -eq 1 -and (-not (Mail.Recipients.Tags -like u0027hveu0027)) -and (-not (Mail.Sender.Tags -like u0027hveu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027)) -and ((Mail.IsGenericZapped -ne 1) -and (Mail.IsGenericZapped -ne 0)) -and ((Mail.IsCampaignZapped -ne 1) -and (Mail.IsCampaignZapped -ne 0))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malware",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "0179b3f7-3fda-40c3-8f24-278563978dbb",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "b7d4272b-96c3-4514-b9bd-e4d4c051d162",
"Comment": "Emails with malware that were delivered and later removed -V1.0.0.8",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "0b3219c1-2b1c-4b7b-a42b-08d90f679428",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "0179b3f7-3fda-40c3-8f24-278563978dbb",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malware removed after delivery",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malware removed after delivery",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages containing malware removed after delivery",
"DistinguishedName": "CN=Email messages containing malware removed after delivery,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1620179179000)/",
"WhenCreated": "/Date(1552448532000)/",
"WhenChangedUTC": "/Date(1620179179000)/",
"WhenCreatedUTC": "/Date(1552448532000)/",
"ExchangeObjectId": "0179b3f7-3fda-40c3-8f24-278563978dbb",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.IsMailZAPSuccessful -eq 1) -and Mail.IsSystemZappedByURLs -eq 1 -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027)) -and (Mail.IsCampaignZapped -ne 1)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malicious",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "435ca8f9-fb3b-4514-9bec-52fed47d84f9",
"Comment": "Emails with malicious URL that were delivered and later removed -V1.0.0.3",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "a5e68877-111c-4ce3-d2a0-08da1c7642e9",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malicious URL removed after delivery?",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malicious URL removed after delivery?",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages containing malicious URL removed after delivery?",
"DistinguishedName": "CN=Email messages containing malicious URL removed after delivery?,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1649762348000)/",
"WhenCreated": "/Date(1612833208000)/",
"WhenChangedUTC": "/Date(1649762348000)/",
"WhenCreatedUTC": "/Date(1612833208000)/",
"ExchangeObjectId": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"UserRestrictedByDistributingForms"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "f86c81d5-272e-4825-a957-366e964f702c",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "29af60e8-9eae-4962-ba2e-a030fc6f7661",
"Comment": "Microsoft Forms identified repeated phishing attempts by a user in your tenant. This user is now blocked from sharing forms and collecting responses. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "2049607b-4883-4b59-6862-08d8d2b11a5e",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "f86c81d5-272e-4825-a957-366e964f702c",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User restricted from sharing forms and collecting responses",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User restricted from sharing forms and collecting responses",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "User restricted from sharing forms and collecting responses",
"DistinguishedName": "CN=User restricted from sharing forms and collecting responses,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1613503736000)/",
"WhenCreated": "/Date(1613503736000)/",
"WhenChangedUTC": "/Date(1613503736000)/",
"WhenCreatedUTC": "/Date(1613503736000)/",
"ExchangeObjectId": "f86c81d5-272e-4825-a957-366e964f702c",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "None",
"ThreatType": "MaliciousUrlClick",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "MaliciousUrlClick",
"Scenario": "MaliciousUrlClick",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "ece0f2ff-7944-4cde-8348-39da34d1ebab",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "e82c971b-ff9a-49e0-a0fd-0ff7d2b1fa15",
"Comment": "We have detected that one of your HVE users has recently clicked on a link that was found to be malicious -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "d30894cc-c47a-4942-1dcb-08d9dffa0522",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "ece0f2ff-7944-4cde-8348-39da34d1ebab",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/HVE A potentially malicious URL click was detected",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/HVE A potentially malicious URL click was detected",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "HVE A potentially malicious URL click was detected",
"DistinguishedName": "CN=HVE A potentially malicious URL click was detected,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1643111917000)/",
"WhenCreated": "/Date(1593718368000)/",
"WhenChangedUTC": "/Date(1643111917000)/",
"WhenCreatedUTC": "/Date(1593718368000)/",
"ExchangeObjectId": "ece0f2ff-7944-4cde-8348-39da34d1ebab",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Activity.SubmissionType -eq u0027Phishu0027) -or (Activity.SubmissionType -eq u0027Malwareu0027)",
"Operation": [
"UserSubmission"
],
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Low",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "b26a5770-0c38-434a-9380-3a3c2c27bbb3",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "d326019d-b122-450c-a96e-de82aaf46ab9",
"Comment": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "41c49634-ce2f-4383-d609-08d90a1a55d8",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "b26a5770-0c38-434a-9380-3a3c2c27bbb3",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email reported by user as malware or phish",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email reported by user as malware or phish",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email reported by user as malware or phish",
"DistinguishedName": "CN=Email reported by user as malware or phish,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1619596247000)/",
"WhenCreated": "/Date(1552448531000)/",
"WhenChangedUTC": "/Date(1619596247000)/",
"WhenCreatedUTC": "/Date(1552448531000)/",
"ExchangeObjectId": "b26a5770-0c38-434a-9380-3a3c2c27bbb3",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"RetentionAutoLabelSimulationCompletion"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Low",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "a8f4ff90-ee7d-4813-a629-42c9db2204dd",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "404fd903-ef34-43df-8362-ac45c1bb2a1c",
"Comment": "Retention auto-labeling policy simulation has been completed. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "95115b36-e7c4-4001-5d8b-08da6f2b898f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "a8f4ff90-ee7d-4813-a629-42c9db2204dd",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Retention Auto-labeling Policy Simulation Completed",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Retention Auto-labeling Policy Simulation Completed",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Retention Auto-labeling Policy Simulation Completed",
"DistinguishedName": "CN=Retention Auto-labeling Policy Simulation Completed,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1658856200000)/",
"WhenCreated": "/Date(1658856200000)/",
"WhenChangedUTC": "/Date(1658856200000)/",
"WhenCreatedUTC": "/Date(1658856200000)/",
"ExchangeObjectId": "a8f4ff90-ee7d-4813-a629-42c9db2204dd",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Activity.AirItemType -eq u0027Emailu0027",
"Operation": [
"AirManualInvestigation"
],
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "cfb0af3a-7410-445c-a872-45f95c45f0de",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "8aa5392e-0533-4a43-9952-b25fcea4af4b",
"Comment": "This alert is triggered because an admin triggered manual investigation of an Email from explorer -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "67c64197-2244-4ff2-dbb1-08d88b45bbb0",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "cfb0af3a-7410-445c-a872-45f95c45f0de",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin triggered manual investigation of email",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin triggered manual investigation of email",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Admin triggered manual investigation of email",
"DistinguishedName": "CN=Admin triggered manual investigation of email,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1605651089000)/",
"WhenCreated": "/Date(1605651089000)/",
"WhenChangedUTC": "/Date(1605651089000)/",
"WhenCreatedUTC": "/Date(1605651089000)/",
"ExchangeObjectId": "cfb0af3a-7410-445c-a872-45f95c45f0de",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"eDiscoverySearchStartedOrExported"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "6fdc5710-3998-47f0-afbb-57cefd7378ae",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "f39d84d4-568b-47d2-8f6d-b4ae9d4aba97",
"Comment": "The alert is triggered when users start content searches or eDiscovery searches or when search results are downloaded or exported -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "3d7436f7-6809-4ec0-65eb-08d90a1a5a9f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "6fdc5710-3998-47f0-afbb-57cefd7378ae",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/eDiscovery search started or exported",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/eDiscovery search started or exported",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "eDiscovery search started or exported",
"DistinguishedName": "CN=eDiscovery search started or exported,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1619596255000)/",
"WhenCreated": "/Date(1537585513000)/",
"WhenChangedUTC": "/Date(1619596255000)/",
"WhenCreatedUTC": "/Date(1537585513000)/",
"ExchangeObjectId": "6fdc5710-3998-47f0-afbb-57cefd7378ae",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"QuarantineRequestReleaseMessage"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "34116cef-7761-4cdf-a30b-5aa944d93d74",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "c633eeaf-090e-4dc2-ad59-770158128390",
"Comment": "A user has requested to release an email from quarantine. -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "9c929fe7-885c-49dd-f707-08d9a908c257",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "34116cef-7761-4cdf-a30b-5aa944d93d74",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User requested to release a quarantined message",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "User requested to release a quarantined message",
"DistinguishedName": "CN=User requested to release a quarantined message,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1637070933000)/",
"WhenCreated": "/Date(1637070933000)/",
"WhenChangedUTC": "/Date(1637070933000)/",
"WhenCreatedUTC": "/Date(1637070933000)/",
"ExchangeObjectId": "34116cef-7761-4cdf-a30b-5aa944d93d74",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.IsMailZAPSuccessful -eq 1) -and Mail.IsSystemZappedByFiles -eq 1 -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027)) -and (Mail.IsCampaignZapped -ne 1)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malicious",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "c056ed0c-0a2c-4c2f-989e-c32681100d63",
"Comment": "Emails with malicious file that were delivered and later removed -V1.0.0.3",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "2602b3f9-a2bf-4fa9-3c71-08da1c763ef2",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malicious file removed after delivery?",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing malicious file removed after delivery?",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages containing malicious file removed after delivery?",
"DistinguishedName": "CN=Email messages containing malicious file removed after delivery?,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1649762341000)/",
"WhenCreated": "/Date(1612833195000)/",
"WhenChangedUTC": "/Date(1649762341000)/",
"WhenCreatedUTC": "/Date(1612833195000)/",
"ExchangeObjectId": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Activity.Operation -eq u0027MSTICNationStateNotificationu0027",
"Operation": [
"MSTICNationStateNotification"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "3b3085a4-553a-4b61-bbf1-691fa4e0bf76",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "3942e844-78a9-4110-9f47-9f6c1e1d1c99",
"Comment": "Microsoft Threat Intelligence Center detected an attempt to compromise accounts from your tenant. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "2d0ec80c-60f6-4c94-2107-08d9a908c00c",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "3b3085a4-553a-4b61-bbf1-691fa4e0bf76",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Potential Nation-State Activity",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Potential Nation-State Activity",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Potential Nation-State Activity",
"DistinguishedName": "CN=Potential Nation-State Activity,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1637070929000)/",
"WhenCreated": "/Date(1637070929000)/",
"WhenChangedUTC": "/Date(1637070929000)/",
"WhenCreatedUTC": "/Date(1637070929000)/",
"ExchangeObjectId": "3b3085a4-553a-4b61-bbf1-691fa4e0bf76",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"AdminSubmission"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "ae9b83dd-6039-4ea9-b675-6b0ac3bf4a41",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "8d56b699-74c1-499f-b0cf-bd11fb5f83f4",
"Comment": "This alert is triggered once the admin submission result is generated or updated. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "4db2b0da-9112-4e19-5d4d-08d90a1a57a4",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "ae9b83dd-6039-4ea9-b675-6b0ac3bf4a41",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin Submission Result Completed",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Admin Submission Result Completed",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Admin Submission Result Completed",
"DistinguishedName": "CN=Admin Submission Result Completed,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1619596250000)/",
"WhenCreated": "/Date(1571162603000)/",
"WhenChangedUTC": "/Date(1619596250000)/",
"WhenCreatedUTC": "/Date(1571162603000)/",
"ExchangeObjectId": "ae9b83dd-6039-4ea9-b675-6b0ac3bf4a41",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"EmailSendingLimitExceeded"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "2cc44934-4d16-420b-b4e8-74a77fd0ab24",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "66420b7c-b772-4749-8e23-01672295fcc2",
"Comment": "User has exceeded their email sending limit and the action defined within the Outbound Spam policy has been applied. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "6f3e73f7-c520-4b9e-d07b-08d74780f057",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "2cc44934-4d16-420b-b4e8-74a77fd0ab24",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email sending limit exceeded",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email sending limit exceeded",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email sending limit exceeded",
"DistinguishedName": "CN=Email sending limit exceeded,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1570052341000)/",
"WhenCreated": "/Date(1570052341000)/",
"WhenChangedUTC": "/Date(1570052341000)/",
"WhenCreatedUTC": "/Date(1570052341000)/",
"ExchangeObjectId": "2cc44934-4d16-420b-b4e8-74a77fd0ab24",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Activity.AirAdminActionType -eq u0027MailActionu0027 -or Activity.AirAdminActionType -eq u0027BlockUrlActionu0027 -or Activity.AirAdminActionType -eq u0027BlockSenderActionu0027)",
"Operation": [
"AirAdminActionInvestigation"
],
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "39c5b427-a54f-4c38-a799-8541c5a105a8",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "bcafb035-406a-4a14-b5c3-67396c524edc",
"Comment": "This alert is triggered when an admin takes remediation action on the selected entity -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "da1aa0e5-da34-46f4-48f4-08d88b45be0e",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "39c5b427-a54f-4c38-a799-8541c5a105a8",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Remediation action taken by admin on emails or URL or sender",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Remediation action taken by admin on emails or URL or sender",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Remediation action taken by admin on emails or URL or sender",
"DistinguishedName": "CN=Remediation action taken by admin on emails or URL or sender,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1605651093000)/",
"WhenCreated": "/Date(1605651093000)/",
"WhenChangedUTC": "/Date(1605651093000)/",
"WhenCreatedUTC": "/Date(1605651093000)/",
"ExchangeObjectId": "39c5b427-a54f-4c38-a799-8541c5a105a8",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"MailRedirect"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "d59a8fd4-1272-41ee-9408-86f7bcf72479",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "bc59a7c1-2cfd-49da-b762-f643f204babe",
"Comment": "This alert is triggered when someone in your organization sets up auto-forwarding, email forwarding, redirect rule or a mail flow rule -V1.0.0.5",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "3f00b180-c6a5-41ba-cb39-08d90a1a5960",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "d59a8fd4-1272-41ee-9408-86f7bcf72479",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Creation of forwarding/redirect rule",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Creation of forwarding/redirect rule",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Creation of forwarding/redirect rule",
"DistinguishedName": "CN=Creation of forwarding/redirect rule,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1619596253000)/",
"WhenCreated": "/Date(1505796344000)/",
"WhenChangedUTC": "/Date(1619596253000)/",
"WhenCreatedUTC": "/Date(1505796344000)/",
"ExchangeObjectId": "d59a8fd4-1272-41ee-9408-86f7bcf72479",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "VIPMessage.MessageStatus -eq u0027Rejectedu0027",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": 100,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "None",
"ThreatType": "MailFlow",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "MailFlow",
"Scenario": "MailFlowProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "CustomAggregation",
"Category": "MailFlow",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "2a244387-17f7-458b-81a1-87e75520dfa6",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "558ca84d-e5a1-4dd0-9dcc-923c82219ad4",
"Comment": "Office 365 can monitor the mail flow for priority accounts for your organization. This alert is triggered when the number of rejected or delayed messages for priority accounts exceeds the policy threshold.",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "8b775856-4d5d-428b-e1ec-08d81e84f8f3",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "2a244387-17f7-458b-81a1-87e75520dfa6",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Priority accountsu0027 mail flow is unhealthy",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Priority accountsu0027 mail flow is unhealthy",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Priority accountsu0027 mail flow is unhealthy",
"DistinguishedName": "CN=Priority accountsu0027 mail flow is unhealthy,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1593693573000)/",
"WhenCreated": "/Date(1593516317000)/",
"WhenChangedUTC": "/Date(1593693573000)/",
"WhenCreatedUTC": "/Date(1593516317000)/",
"ExchangeObjectId": "2a244387-17f7-458b-81a1-87e75520dfa6",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "-not (Activity.User.Tags -like u0027hveu0027)",
"Operation": [
"CompromisedAccount"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "7a4e7306-bbcb-401f-b112-8ca5f798a230",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "743af9b5-f679-418a-88e9-77360cd02fce",
"Comment": "User has been restricted from sending messages outside the organization due to potential compromised activity. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "4e39b0c8-8748-4856-a50e-08d7af1eba82",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "7a4e7306-bbcb-401f-b112-8ca5f798a230",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User restricted from sending email",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/User restricted from sending email",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "User restricted from sending email",
"DistinguishedName": "CN=User restricted from sending email,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1581445080000)/",
"WhenCreated": "/Date(1552692853000)/",
"WhenChangedUTC": "/Date(1581445080000)/",
"WhenCreatedUTC": "/Date(1552692853000)/",
"ExchangeObjectId": "7a4e7306-bbcb-401f-b112-8ca5f798a230",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.IsMailZAPFailed -eq 1) -and ((((Mail.IsSystemZappedByFiles -eq 1) -or (Mail.IsSystemZappedByURLs -eq 1)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027)) -and (Mail.IsCampaignZapped -ne 1)) -or (((Mail.IsGenericZapped -eq 1) -or(Mail.IsCampaignZapped -eq 1)) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027PhishEduu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027SecOpsu0027) -and (Mail.TenantPolicyFinalVerdictSource -ne u0027ThirdPartyFilteringu0027)))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malicious",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "663e723a-4a74-47d9-9690-9638f0d496af",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "01fb826b-ea22-426e-b553-75fa3afd16f9",
"Comment": "Messages containing a malicious entity were delivered, and we could not remove them after delivery. Manual action is required. Please remove the malicious messages for the affected users. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "9e595964-00bf-4acb-7838-08da1c764141",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "663e723a-4a74-47d9-9690-9638f0d496af",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Messages containing malicious entity not removed after delivery",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Messages containing malicious entity not removed after delivery",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Messages containing malicious entity not removed after delivery",
"DistinguishedName": "CN=Messages containing malicious entity not removed after delivery,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1649762345000)/",
"WhenCreated": "/Date(1649762345000)/",
"WhenChangedUTC": "/Date(1649762345000)/",
"WhenCreatedUTC": "/Date(1649762345000)/",
"ExchangeObjectId": "663e723a-4a74-47d9-9690-9638f0d496af",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"ExternalFileSharing"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": [
"Tenant"
],
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "AnomalousAggregation",
"Category": "DataGovernance",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "d0ec2b5e-b51e-4b83-a232-972d3971d370",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "94b6d359-065a-493d-a050-2a8c64ea1092",
"Comment": "This alert is triggered when the volume of external file sharing activities in your organization becomes unusual -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "7c342f2d-bf21-4831-ffce-08d654fdce33",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "d0ec2b5e-b51e-4b83-a232-972d3971d370",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Unusual volume of external file sharing",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Unusual volume of external file sharing",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Unusual volume of external file sharing",
"DistinguishedName": "CN=Unusual volume of external file sharing,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1543387838000)/",
"WhenCreated": "/Date(1492488894000)/",
"WhenChangedUTC": "/Date(1543387838000)/",
"WhenCreatedUTC": "/Date(1492488894000)/",
"ExchangeObjectId": "d0ec2b5e-b51e-4b83-a232-972d3971d370",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"AutoBlockedForm"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "3d408d75-3093-40de-8611-9d1a273a11dc",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "a135d1a5-12e6-432d-8b01-7ea84090691e",
"Comment": "Microsoft Forms detected a potential phishing attempt from a form and blocked it from distribution and response collection. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "7310fa5f-8525-47de-2772-08d8d2b1187d",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "3d408d75-3093-40de-8611-9d1a273a11dc",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Form blocked due to potential phishing attempt",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Form blocked due to potential phishing attempt",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Form blocked due to potential phishing attempt",
"DistinguishedName": "CN=Form blocked due to potential phishing attempt,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1613503733000)/",
"WhenCreated": "/Date(1613503733000)/",
"WhenChangedUTC": "/Date(1613503733000)/",
"WhenCreatedUTC": "/Date(1613503733000)/",
"ExchangeObjectId": "3d408d75-3093-40de-8611-9d1a273a11dc",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.DeliveryStatus -eq u0027Deliveredu0027) -and (Mail.Direction -eq u0027Inboundu0027) -and (Mail.IsOriginalDelivery -eq 1) -and (Mail.PhishConfidence -eq u0027Highu0027) -and (Mail.FinalVerdictSource -eq u0027Tenantu0027) -and (Mail.TenantPolicyFinalVerdict -eq u0027Allowu0027) -and (Mail.TenantPolicyFinalVerdictSource -eq u0027ETRu0027 -or Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Phish",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "ce5b94b7-eafb-4b3f-8d44-a0a86245e62b",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "ce633f0a-0361-46b7-bbb0-5452f5669eec",
"Comment": "This alert fires when message containing phish was delivered due to an ETR override. -V1.0.0.4",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "9f583659-78a9-4b21-6f98-08d95bfab329",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "ce5b94b7-eafb-4b3f-8d44-a0a86245e62b",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish delivered due to an ETR override",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish delivered due to an ETR override",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Phish delivered due to an ETR override",
"DistinguishedName": "CN=Phish delivered due to an ETR override,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1628598655000)/",
"WhenCreated": "/Date(1612833200000)/",
"WhenChangedUTC": "/Date(1628598655000)/",
"WhenCreatedUTC": "/Date(1612833200000)/",
"ExchangeObjectId": "ce5b94b7-eafb-4b3f-8d44-a0a86245e62b",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Mail.TimeTravelResult -eq u0027AdminPolicy_ZapDisabledu0027 -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Malware",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "a5c402b2-eba9-4f9d-a0dd-a0c65db97200",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "2dc8e550-89dc-4e6b-9a0d-9d7135aa9452",
"Comment": "This alert fires when message containing malware was not zapped because ZAP is disabled. -V1.0.0.6",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "d759cd6c-3545-4b67-248f-08da850b165d",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "a5c402b2-eba9-4f9d-a0dd-a0c65db97200",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Malware not zapped because ZAP is disabled",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Malware not zapped because ZAP is disabled",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Malware not zapped because ZAP is disabled",
"DistinguishedName": "CN=Malware not zapped because ZAP is disabled,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1661261189000)/",
"WhenCreated": "/Date(1661261189000)/",
"WhenChangedUTC": "/Date(1661261189000)/",
"WhenCreatedUTC": "/Date(1661261189000)/",
"ExchangeObjectId": "a5c402b2-eba9-4f9d-a0dd-a0c65db97200",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"SuspiciousForwarding"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "bfd48f06-0865-41a6-85ff-adb746423ebf",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "1aa1676e-04c0-4b5e-bd0c-bf21c3a44971",
"Comment": "This alert is triggered once suspicious email forwarding is detected. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "75756881-b76c-40aa-0188-08d90a1a521f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "bfd48f06-0865-41a6-85ff-adb746423ebf",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious Email Forwarding Activity",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious Email Forwarding Activity",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Suspicious Email Forwarding Activity",
"DistinguishedName": "CN=Suspicious Email Forwarding Activity,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1619596241000)/",
"WhenCreated": "/Date(1602615299000)/",
"WhenChangedUTC": "/Date(1619596241000)/",
"WhenCreatedUTC": "/Date(1602615299000)/",
"ExchangeObjectId": "bfd48f06-0865-41a6-85ff-adb746423ebf",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "Mail.IsSystemZappedPhish -eq 1 -and (-not (Mail.Recipients.Tags -like u0027hveu0027)) -and (-not (Mail.Sender.Tags -like u0027hveu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027)) -and ((Mail.IsGenericZapped -ne 1) -and (Mail.IsGenericZapped -ne 0)) -and ((Mail.IsCampaignZapped -ne 1) -and (Mail.IsCampaignZapped -ne 0))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": false,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Phish",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "ea8169fa-0678-4751-8854-aebea7adeceb",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "6df73299-4af9-4173-97ff-800926831e09",
"Comment": "Emails with phish URLs that were delivered and later removed -V1.0.0.8",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "3f671b4e-66dc-48f8-b252-08d918e3ea0b",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "ea8169fa-0678-4751-8854-aebea7adeceb",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing phish URLs removed after delivery",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Email messages containing phish URLs removed after delivery",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Email messages containing phish URLs removed after delivery",
"DistinguishedName": "CN=Email messages containing phish URLs removed after delivery,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1621222141000)/",
"WhenCreated": "/Date(1552448532000)/",
"WhenChangedUTC": "/Date(1621222141000)/",
"WhenCreatedUTC": "/Date(1552448532000)/",
"ExchangeObjectId": "ea8169fa-0678-4751-8854-aebea7adeceb",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "MessagesQueued.QueuedType -eq u0027ConnectorBasedMessagesQueuedu0027",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": 2000,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "None",
"ThreatType": "MailFlow",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "MailFlow",
"Scenario": "MailFlowProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": "/Date(1572466834940)/",
"AggregationType": "CustomAggregation",
"Category": "MailFlow",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "37a4e852-e711-45ca-b0f4-b076bae3adfd",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "ba52bbe8-d298-494f-893f-b1e9a4c18b86",
"Comment": "When Office 365 canu0027t deliver a message to your on-premises or partner servers via a connector, the message is queued in Office 365. This alert is triggered when the number of queued messages exceeds the policy threshold and have been queued for more than an hour. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "0cdb4304-7aec-428b-250b-08d5e8177228",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "37a4e852-e711-45ca-b0f4-b076bae3adfd",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Messages have been delayed",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Messages have been delayed",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Messages have been delayed",
"DistinguishedName": "CN=Messages have been delayed,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1531414174000)/",
"WhenCreated": "/Date(1531272196000)/",
"WhenChangedUTC": "/Date(1531414174000)/",
"WhenCreatedUTC": "/Date(1531272196000)/",
"ExchangeObjectId": "37a4e852-e711-45ca-b0f4-b076bae3adfd",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"ComplianceManagerActionScoreChange"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": 60,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ComplianceManager",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "ed5f5244-a3e4-4bf7-895c-b49ef27ded46",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "c96a4b5c-8274-4f09-9d6f-badfa5744011",
"Comment": "This default policy will generate an alert for events that happen within 60 minutes of alert creation -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "8323beb9-8ba0-4292-9d7a-08da27b0c524",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "ed5f5244-a3e4-4bf7-895c-b49ef27ded46",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Compliance Manager Default Alert Policy",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Compliance Manager Default Alert Policy",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Compliance Manager Default Alert Policy",
"DistinguishedName": "CN=Compliance Manager Default Alert Policy,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1650996940000)/",
"WhenCreated": "/Date(1650996940000)/",
"WhenChangedUTC": "/Date(1650996940000)/",
"WhenCreatedUTC": "/Date(1650996940000)/",
"ExchangeObjectId": "ed5f5244-a3e4-4bf7-895c-b49ef27ded46",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"CompromisedUnprovisionedTenantAccount"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "5ed2d687-9bd3-49e7-9b56-b7dc0d9af5cb",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "50e7139b-1e4f-43ed-90e3-ce2e4fc5a2cf",
"Comment": "The majority of traffic related to unprovisioned domains from this tenant has been detected as suspicious and the tenant has been restricted from sending email with unregistered domains. Investigate any potentially compromised user/admins, new connectors, or open relays and contact support to unblock your tenant. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "8cbebf65-1f59-4fb9-69fe-08d77d2274e3",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "5ed2d687-9bd3-49e7-9b56-b7dc0d9af5cb",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending unprovisioned email",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending unprovisioned email",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Tenant restricted from sending unprovisioned email",
"DistinguishedName": "CN=Tenant restricted from sending unprovisioned email,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1575949124000)/",
"WhenCreated": "/Date(1575949124000)/",
"WhenChangedUTC": "/Date(1575949124000)/",
"WhenCreatedUTC": "/Date(1575949124000)/",
"ExchangeObjectId": "5ed2d687-9bd3-49e7-9b56-b7dc0d9af5cb",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"CompromisedTenantAccount"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "a7032ff5-7eee-412b-805b-d1295c7e0932",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "e16d6517-4230-46e3-9514-4adf9c162d98",
"Comment": "The majority of traffic from this tenant has been detected as suspicious and has resulted in a ban on sending ability for the tenant. Ensure that any compromises or open relays have been resolved, and then contact support through your regular channel. -V1.0.0.1",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "0b827916-3392-4b66-95d2-08d77d2277b5",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "a7032ff5-7eee-412b-805b-d1295c7e0932",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending email",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant restricted from sending email",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Tenant restricted from sending email",
"DistinguishedName": "CN=Tenant restricted from sending email,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1575949128000)/",
"WhenCreated": "/Date(1561479397000)/",
"WhenChangedUTC": "/Date(1575949128000)/",
"WhenCreatedUTC": "/Date(1561479397000)/",
"ExchangeObjectId": "a7032ff5-7eee-412b-805b-d1295c7e0932",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.DeliveryStatus -eq u0027Deliveredu0027) -and (Mail.Direction -eq u0027Inboundu0027) -and (Mail.IsOriginalDelivery -eq 1) -and (Mail.PhishConfidence -eq u0027Highu0027) -and (Mail.FinalVerdictSource -eq u0027Tenantu0027) -and (Mail.TenantPolicyFinalVerdict -eq u0027Allowu0027) -and (Mail.TenantPolicyFinalVerdictSource -eq u0027ConnPolicyu0027) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Phish",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "8bd89c8d-1425-45ba-838a-e15fb89808d2",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "cab1e16d-c018-40aa-9bcd-0f507e952fb5",
"Comment": "This alert fires when message containing phish was delivered due to an IP allow policy. -V1.0.0.3",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "ab280060-ce76-496a-b80b-08d90447fa2f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "8bd89c8d-1425-45ba-838a-e15fb89808d2",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish delivered due to an IP allow policy",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish delivered due to an IP allow policy",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Phish delivered due to an IP allow policy",
"DistinguishedName": "CN=Phish delivered due to an IP allow policy,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1618956143000)/",
"WhenCreated": "/Date(1612833207000)/",
"WhenChangedUTC": "/Date(1618956143000)/",
"WhenCreatedUTC": "/Date(1612833207000)/",
"ExchangeObjectId": "8bd89c8d-1425-45ba-838a-e15fb89808d2",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Mail.TimeTravelResult -eq u0027AdminPolicy_ZapDisabledu0027) -and (Mail.PhishConfidence -eq u0027Highu0027) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027PhishEduu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027SecOpsu0027)) -and (-not (Mail.TenantPolicyFinalVerdictSource -eq u0027ThirdPartyFilteringu0027))",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Medium",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Mail",
"ThreatType": "Phish",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Protection",
"Scenario": "ProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "c2a1f0cd-a669-49bc-a22b-e501350935e3",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "4cfaefb2-b4bd-4306-becb-141044e80cd5",
"Comment": "This alert fires when message containing phish was not zapped because ZAP is disabled -V1.0.0.4",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "833513aa-4d9c-486a-8799-08da850b1300",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "c2a1f0cd-a669-49bc-a22b-e501350935e3",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish not zapped because ZAP is disabled",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Phish not zapped because ZAP is disabled",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Phish not zapped because ZAP is disabled",
"DistinguishedName": "CN=Phish not zapped because ZAP is disabled,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1661261183000)/",
"WhenCreated": "/Date(1661261183000)/",
"WhenChangedUTC": "/Date(1661261183000)/",
"WhenCreatedUTC": "/Date(1661261183000)/",
"ExchangeObjectId": "c2a1f0cd-a669-49bc-a22b-e501350935e3",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"UploadDataFailed"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "cafdbfad-0084-4052-8371-ea098aab3f64",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "fe23dc56-038d-483c-a528-64d9d4ff6d34",
"Comment": "New sensitive information failed to upload. Try again later. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "76562e91-8015-4439-1d5c-08d8d2b1117d",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "cafdbfad-0084-4052-8371-ea098aab3f64",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Failed exact data match upload",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Failed exact data match upload",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Failed exact data match upload",
"DistinguishedName": "CN=Failed exact data match upload,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1613503721000)/",
"WhenCreated": "/Date(1613503721000)/",
"WhenChangedUTC": "/Date(1613503721000)/",
"WhenCreatedUTC": "/Date(1613503721000)/",
"ExchangeObjectId": "cafdbfad-0084-4052-8371-ea098aab3f64",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"OSTTakenDownForm"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "2d161684-8def-403c-9df6-f20c66c64161",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "6f6b38f4-718f-496e-8c4c-211509eb9eb4",
"Comment": "A form created in Microsoft Forms from within your organization has been identified as phishing through Report Abuse and confirmed as phishing. -V1.0.0.2",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "a8d7a708-c782-4957-302f-08d8d2b1167f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "2d161684-8def-403c-9df6-f20c66c64161",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Form flagged and confirmed as phishing",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Form flagged and confirmed as phishing",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Form flagged and confirmed as phishing",
"DistinguishedName": "CN=Form flagged and confirmed as phishing,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1613503730000)/",
"WhenCreated": "/Date(1613503730000)/",
"WhenChangedUTC": "/Date(1613503730000)/",
"WhenCreatedUTC": "/Date(1613503730000)/",
"ExchangeObjectId": "2d161684-8def-403c-9df6-f20c66c64161",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"TenantAllowBlockListItemExpiry"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "Informational",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "d063f1c3-572d-40ea-a32c-f339cab57a33",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "b50db3b4-fb66-4950-a7c0-389dd7d5b09d",
"Comment": "A Tenant Allow/Block List entry will be removed due to expiration. -V1.0.0.0",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "03d61c76-dff0-4976-24fc-08d9880ba39e",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "d063f1c3-572d-40ea-a32c-f339cab57a33",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant Allow/Block List entry is about to expire",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Tenant Allow/Block List entry is about to expire",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Tenant Allow/Block List entry is about to expire",
"DistinguishedName": "CN=Tenant Allow/Block List entry is about to expire,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1633443782000)/",
"WhenCreated": "/Date(1633443782000)/",
"WhenChangedUTC": "/Date(1633443782000)/",
"WhenCreatedUTC": "/Date(1633443782000)/",
"ExchangeObjectId": "d063f1c3-572d-40ea-a32c-f339cab57a33",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": null,
"Operation": [
"TenantExceedsThresholdEarlyAlert"
],
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "Activity",
"ThreatType": "Activity",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "Activity",
"Scenario": "AuditProtectionAlert",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "05b9e850-6d9d-4bab-a5c0-f54db2e7e887",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "9e6a79f3-b756-47a6-9a6c-3f82cce2a4f5",
"Comment": "Suspicious sending patterns have been observed in your tenant, which may lead to your tenant being blocked from sending emails. Investigate any potentially compromised user and admin accounts, new connectors, or open relays to avoid tenant exceed threshold blocks. -V1.0.0.5",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "10fe9103-03b8-45b8-aece-08da9011fc82",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "05b9e850-6d9d-4bab-a5c0-f54db2e7e887",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious tenant sending patterns observed",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/Suspicious tenant sending patterns observed",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "Suspicious tenant sending patterns observed",
"DistinguishedName": "CN=Suspicious tenant sending patterns observed,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1662473615000)/",
"WhenCreated": "/Date(1662473615000)/",
"WhenChangedUTC": "/Date(1662473615000)/",
"WhenCreatedUTC": "/Date(1662473615000)/",
"ExchangeObjectId": "05b9e850-6d9d-4bab-a5c0-f54db2e7e887",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
},
{
"PSComputerName": "ps.compliance.protection.outlook.com",
"RunspaceId": "5938daad-9a3a-46ae-8138-2444871c1fe3",
"PSShowComputerName": false,
"Filter": "(Click.IsLookBack -eq 1)",
"Operation": null,
"LogicalOperationName": null,
"NotificationEnabled": true,
"NotifyUser": [
"TenantAdmins"
],
"Severity": "High",
"Threshold": null,
"VolumeThreshold": null,
"ExternalScenarioData": null,
"TimeWindow": null,
"NotifyUserOnFilterMatch": false,
"MergedRuleXml": null,
"StreamType": "None",
"ThreatType": "MaliciousUrlClick",
"PrivacyManagementScopedSensitiveInformationTypes": null,
"PrivacyManagementScopedSensitiveInformationTypesForCounting": null,
"PrivacyManagementScopedSensitiveInformationTypesThreshold": null,
"AlertBy": null,
"AlertFor": null,
"AlertScenario": "MaliciousUrlClick",
"Scenario": "MaliciousUrlClick",
"NotifyUserThrottleThreshold": null,
"NotifyUserThrottleWindow": null,
"NotifyUserSuppressionExpiryDate": null,
"NotificationCulture": null,
"AlertOverrideChangedUtc": null,
"AggregationType": "None",
"Category": "ThreatManagement",
"IsSystemRule": true,
"TagFilter": null,
"UserTags": null,
"RecipientTags": null,
"SenderTags": null,
"CustomProperties": null,
"UseCreatedDateTime": null,
"CorrelationPolicyId": "00000000-0000-0000-0000-000000000000",
"ReadOnly": false,
"ErrorMetadata": null,
"ExternalIdentity": "",
"ImmutableId": "a74bb32a-541b-47fb-adfd-f8c62ce3d59b",
"Priority": 0,
"Workload": "AuditAlerting",
"Policy": "e9a4983d-9f4e-47b0-80d1-fb2097adb484",
"Comment": "We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5",
"Disabled": false,
"Mode": "Enforce",
"ObjectVersion": "775ba105-01ce-4457-6ef1-08da4322746f",
"MaximumBlobRuleLength": 0,
"CreatedBy": "",
"LastModifiedBy": "",
"Guid": "a74bb32a-541b-47fb-adfd-f8c62ce3d59b",
"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/A potentially malicious URL click was detected",
"Id": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration/A potentially malicious URL click was detected",
"IsValid": true,
"ExchangeVersion": "0.20 (15.0.0.0)",
"Name": "A potentially malicious URL click was detected",
"DistinguishedName": "CN=A potentially malicious URL click was detected,CN=Configuration,CN=f00ed340-8f84-4eb4-83f3-0075a22b262e,OU=Microsoft Exchange Hosted Organizations,DC=FFO,DC=extest,DC=microsoft,DC=com",
"ObjectCategory": null,
"ObjectClass": [
"msExchUnifiedRule"
],
"WhenChanged": "/Date(1654014448000)/",
"WhenCreated": "/Date(1551825883000)/",
"WhenChangedUTC": "/Date(1654014448000)/",
"WhenCreatedUTC": "/Date(1551825883000)/",
"ExchangeObjectId": "a74bb32a-541b-47fb-adfd-f8c62ce3d59b",
"OrganizationalUnitRoot": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e",
"OrganizationId": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e - FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/f00ed340-8f84-4eb4-83f3-0075a22b262e/Configuration",
"OriginatingServer": "",
"ObjectState": "New"
}
]SharePoint 2.5
"DenyAddAndCustomizePages": 2
from scubagear.
tylermontneyacc
commented on May 24, 2024
Also, Azure 2.2 and 2.3 are in failure despite correct configuration ("0 policy(s) found").
"Conditions": {
"Applications": {
"ApplicationFilter": {
"Mode": null,
"Rule": null
},
"ExcludeApplications": [],
"IncludeApplications": [
"None"
],
"IncludeAuthenticationContextClassReferences": [],
"IncludeUserActions": []
},
"ClientAppTypes": [
"all"
],
"ClientApplications": {
"ExcludeServicePrincipals": null,
"IncludeServicePrincipals": null,
"ServicePrincipalFilter": {
"Mode": null,
"Rule": null
}
},
"DeviceStates": {
"ExcludeStates": null,
"IncludeStates": null
},
"Devices": {
"DeviceFilter": {
"Mode": null,
"Rule": null
},
"ExcludeDeviceStates": null,
"ExcludeDevices": null,
"IncludeDeviceStates": null,
"IncludeDevices": null
},
"Locations": {
"ExcludeLocations": null,
"IncludeLocations": null
},
"Platforms": {
"ExcludePlatforms": null,
"IncludePlatforms": null
},
"ServicePrincipalRiskLevels": [],
"SignInRiskLevels": [
"high"
],
"UserRiskLevels": [
"high"
],
"Users": {
"ExcludeGroups": [],
"ExcludeGuestsOrExternalUsers": {
"ExternalTenants": {
"MembershipKind": null
},
"GuestOrExternalUserTypes": null
},
"ExcludeRoles": [],
"ExcludeUsers": [
"6fe9c54b-e0f3-4fdc-9ae8-94357118f8e5",
"f564d888-511d-41d0-a9b3-f31fadf6f49f"
],
"IncludeGroups": [],
"IncludeGuestsOrExternalUsers": {
"ExternalTenants": {
"MembershipKind": null
},
"GuestOrExternalUserTypes": null
},
"IncludeRoles": [],
"IncludeUsers": [
"All"
]
}
},
"CreatedDateTime": "/Date(1667409074074)/",
"Description": null,
"DisplayName": "Block High-Risk Actions",
"GrantControls": {
"AuthenticationStrength": {
"AllowedCombinations": null,
"CombinationConfigurations": null,
"CreatedDateTime": null,
"Description": null,
"DisplayName": null,
"Id": null,
"ModifiedDateTime": null,
"PolicyType": null,
"RequirementsSatisfied": null
},
"BuiltInControls": [
"block"
],
"CustomAuthenticationFactors": [],
"Operator": "OR",
"TermsOfUse": []
},
"Id": "a47a9287-6054-4017-a1ea-e8e4ad9581f0",
"ModifiedDateTime": "/Date(1669747440213)/",
"SessionControls": {
"ApplicationEnforcedRestrictions": {
"IsEnabled": null
},
"CloudAppSecurity": {
"CloudAppSecurityType": null,
"IsEnabled": null
},
"ContinuousAccessEvaluation": {
"Mode": null
},
"DisableResilienceDefaults": null,
"PersistentBrowser": {
"IsEnabled": null,
"Mode": null
},
"SignInFrequency": {
"AuthenticationType": null,
"FrequencyInterval": null,
"IsEnabled": null,
"Type": null,
"Value": null
}
},
"State": "enabled",
"AdditionalProperties": {}
}from scubagear.
gdasher
commented on May 24, 2024
Thank you. We were able to identify a few bugs in the implementation of the defender and sharepoint policy rules that will be fixed in the next release (bad assumptions on how to link policies and rules and a misunderstanding).
For Azure AD, it looks like your Conditional Access policy is not scoped to apply to all applications:
"IncludeApplications": [
"None"
],
As such, the tool doesn't consider it valid.
from scubagear.
gdasher
commented on May 24, 2024
As far as providing feedback on the baseline goes, feel free to file it as a separate issue with tag "baseline-document"
from scubagear.
tylermontneyacc
commented on May 24, 2024
Thank you. We were able to identify a few bugs in the implementation of the defender and sharepoint policy rules that will be fixed in the next release (bad assumptions on how to link policies and rules and a misunderstanding).
For Azure AD, it looks like your Conditional Access policy is not scoped to apply to all applications:
"IncludeApplications": [ "None" ],As such, the tool doesn't consider it valid.
I should've caught that. I notice now that there were separate instructions linked (either I didn't open it or read too fast).
from scubagear.
gdasher
commented on May 24, 2024
For the defender 2.7 and 2.8 issues, the problem was that the tool incorrectly assumed that the "rule" and the "policy" have the same "Identity". This is the case for rules generated in the UI, but the underlying data model is more flexible and the tool wasn't capturing that.
So for now you can make the tool work by using the same "Identity" for both the rule and the policy, but this will be fixed in the upcoming release.
For SPO the situation is a bit different and we're still investigating the right solution.
from scubagear.
Related Issues (17)
- Get-SPOTenant : Attempted to perform an unauthorized operation. HOT 4
- Add GCCHigh Endpoint HOT 1
- Getting an unable to parse input: yaml error HOT 11
- Azure AD Baseline Feedback HOT 2
- Additional Defender prodcuts HOT 1
- Unexpected exception returned from msal HOT 2
- Device Security Baseline for Cross-Tenant Access HOT 1
- ProviderSettingsExport.json is broken JSON HOT 6
- Sample Report Output HOT 6
- Report is creating errors when run with non ASCII characters HOT 7
- Azure AD Baseline / PIM Alerting > add link to MS PIM Alert documentation HOT 2
- Getting Started HOT 1
- Cannot connect to multiple tenants HOT 5
- Azure Government and GCC High Support HOT 4
- Getting multiple product results when any number of products are assigned to the ProductNames variable. HOT 2
- Add note about Unblock-File HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scubagear.