Applies To: ThreatSync+ SaaS
When you first set up ThreatSync+ SaaS with a Microsoft 365 integration, seven of nine Level 1 policies are enabled by default. We recommend that you monitor these policies for the first two weeks of Microsoft 365 monitoring and then tune your policies to meet the requirements of your organization.
Each section in this topic includes:
- A description of a Level 1 policy
- How the policy works to detect threats
- How you can tune the policy to work more effectively in your network
For specific Level 1 policy details, go to these sections:
- Anonymous File Activity
- Internal Files Made Public
- Internal Files Shared Externally
- New Access IP Address
- New Access Location
- Possible Brute Force Account Access Attempt
- Suspicious Access Location
- Suspicious Access Time
- Suspicious Rate of File Activity
Anonymous File Activity
An anonymous user got access to files. This might be an attacker trying to encrypt or exfiltrate your data.
How it Works
Microsoft 365 logs indicate that a user got access to a file made available for public access through an anonymous link. Many users create anonymous links to easily allow people to access files without requiring them to use authorized logins and be explicitly granted permissions.
When these links are leaked to unauthorized users, data can be exposed.
If you do not allow users to share anonymous links, respond immediately to this alert, contact the person who shared the file, and enforce access control.
How to Tune
If you always allow users to share these types of links, you could deactivate this policy. If you want to allow users to share specific files, tune the policy to exclude specific file paths.
Internal Files Made Public
This policy generates alerts when internal files are made available to anyone on the Internet, which might expose files to an attacker who can try to exfiltrate your data.
How it Works
This policy generates alerts when a user creates an anonymous link for a file. This link can be shared with others to allow anonymous access. This alert helps you to eliminate unauthorized access before an attacker can exfiltrate data.
How to Tune
If you allow specific parts of your organization to create anonymous links, you can exclude them from this policy. If anyone in your organization can create anonymous links, you can deactivate this policy.
Internal Files Shared Externally
This policy generates alerts when an internal user in your organization shares internal files with an external user. External access to your data might represent a risk to the organization.
How it Works
ThreatSync+ SaaS learns the users in your Microsoft 365 domain and categorizes them into internal or external users. When you set up your SaaS integration with Microsoft 365, ThreatSync+ SaaS identifies internal users by the domains that you configure. ThreatSync+ SaaS also considers similar domain names to be internal.
For example, if your domain is mycompany.com, ThreatSync+ SaaS also consider users in the domain mycompany.on.microsoft.com to be internal users. When an internal user shares a file or folder in Microsoft 365 with an external user, ThreatSync+ SaaS generates a policy alert with details of the shared file, who shared it, and who they shared it with.
This policy requires a learning period to categorize internal users, who might come from various domains in your organization.
How to Tune
If you allow specific to share files to external domains, you can add exceptions in the policy definition.
Investigate this alert if your organization has a policy to not share files to external users. Take appropriate action such as, but not limited to, blocking the user or removing file permissions.
New Access IP Address
This policy generates an alert when a user connects to resources on your network from a new IP address. This could be a sign of internal malicious activity or account takeover.
How it Works
Whenever a user logs in to a Microsoft 365 domain and connects to resources, ThreatSync+ SaaS learns and creates a baseline of the IP addresses the requests originate from. When ThreatSync+ SaaS identifies a user whoconnects to a resource from an IP address that user has never logged in from before, ThreatSync+ SaaS generates this policy alert.
How to Tune
This policy generates alerts when users in your organization connect to resources from new places (for example, a coffee shop, or customer site). This policy alert is helpful when your users only log in from a limited and consistent set of IP addresses on a regular basis. You can either deactivate this policy or add exceptions to exclude certain set of users.
New Access Location
This policy generates an alert when a user connects to resources on your network from a new location. This could be a sign of internal malicious activity or account takeover.
How it Works
When a user logs in to a Microsoft 365 domain and connects to resources, ThreatSync+ SaaS learns and creates a baseline of the geographic locations the requests originate from. When a user connects to a resource from a location they have never logged in from before, ThreatSync+ SaaS generates a policy alert.
How to Tune
This policy generates alerts when users in your organization connect to resources from new locationss (for example, a coffee shop, or customer site). This policy alert is helpful when your users only log in from a limited and consistent set of geographic locations on a regular basis. You can either deactivate this policy or add exceptions to exclude specific users.
Possible Brute Force Account Access Attempt
This policy generates alerts when a user tries and fails to log in to resources on your network multiple times.
How it Works
ThreatSync+ SaaS monitors failed logins to Microsoft 365 and continuously builds a baseline of acceptable, benign failure activity. When login failures counted over a 30-minute period exceed the baseline, ThreatSync+ SaaS generates an alert.
Malicious users trigger this policy when they have stolen user names and repeatedly try to log in with different passwords.
How to Tune
If you want to generate fewer alerts, you can tune this policy and adjust the alert sensitivity of the Alert Severity Scale in the policy configuration.
If you increase the scale to a higher value, the detection is less sensitive and will generate fewer alerts. For more information, go to Edit the Policy Alert Severity Scale.
Suspicious Access Location
This policy generates an alert when a user connects to resources on your network from a suspicious location. This could be a sign of internal malicious activity or account takeover.
How it Works
ThreatSync+ SaaS monitors the source location of all user logins and creates a baseline. When a user logs in from a location which is significantly different from the baseline location, ThreatSync+ SaaS generates an alert. If a user does not have enough activity to generate a reliable baseline, ThreatSync+ SaaS uses a baseline for the organization instead. If that user logs in from a location which is significantly different from other user locations, ThreatSync+ SaaS generates an alert.
How to Tune
If you want to generate fewer alerts, you can tune this policy and adjust the alert sensitivity of the Alert Severity Scale in the policy configuration.
If you increase the scale to a higher value, the detection is less sensitive and will generate fewer alerts. For more information, go to Edit the Policy Alert Severity Scale.
Suspicious Access Time
This policy generates an alert when a user connects to resources on your network at a suspicious time. This could be a sign of internal malicious activity or account takeover.
How it Works
ThreatSync +SaaS monitors the time of the day and days of the week that a user logs in and creates a baseline. When user logins significantly deviate from the baseline, ThreatSync +SaaS generates an alert.
How to Tune
If you want to generate fewer alerts, you can tune this policy and adjust the alert sensitivity of the Alert Severity Scale in the policy configuration.
If you increase the scale to a higher value, the detection is less sensitive and will generate fewer alerts. For more information, go to Edit the Policy Alert Severity Scale.
Suspicious Rate of File Activity
A suspicious rate of file creation, deletion, or modification is detected. This might occur when an attacker encrypts your files with ransomware or exfiltrates your files.
How it Works
ThreatSync +SaaS monitors file activity by user and creates a baseline for each user to track a wide range of file activities. When user file activity (modification, deletion, or creation) deviates from current baselines, ThreatSync +SaaS generates the alert. This policy can help prevent ongoing ransomware attacks.
How to Tune
If you want to generate fewer alerts, you can tune this policy and adjust the alert sensitivity of the Alert Severity Scale in the policy configuration.
If you increase the scale to a higher value, the detection is less sensitive and will generate fewer alerts. For more information, go to Edit the Policy Alert Severity Scale.
There are multiple ways to tune this policy to focus on specific types of anomalies or restrict alerts to include or exclude specific locations, files, and users.
Because this policy can generate alerts for over 100 specific types of file-related alerts, it is often beneficial to separate this policy into multiple policy definitions that generate alerts for different types of file activity. You can adjust the Alert Severity Scale or other filters such as location or file names for each policy.
Configure ThreatSync+ Policies