You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/anomaly-detection-policy.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,7 +88,7 @@ Defender for Cloud Apps supports "File Sandboxing" malware detection for the fol
88
88
### Activity from anonymous IP addresses
89
89
90
90
> [!NOTE]
91
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabledand renamed to **Activity from a TOR IP address**.
91
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Activity from a TOR IP address** and **Anonymous proxy activity**.
92
92
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
93
93
94
94
This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device's IP address, and may be used for malicious intent. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
@@ -107,7 +107,7 @@ The detection looks for users whose accounts were deleted in Microsoft Entra ID,
107
107
### Activity from suspicious IP addresses
108
108
109
109
> [!NOTE]
110
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Successful logon from a suspicious IP address**.
110
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Successful logon from a suspicious IP address**.
111
111
>
112
112
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
113
113
@@ -116,7 +116,7 @@ This detection identifies that users were active from an IP address identified a
116
116
### Suspicious inbox forwarding
117
117
118
118
> [!NOTE]
119
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email forwarding rule created by third-party app**.
119
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email forwarding rule created by third-party app**.
120
120
>
121
121
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
122
122
@@ -128,15 +128,15 @@ This detection looks for suspicious email forwarding rules, for example, if a us
128
128
### Suspicious inbox manipulation rules
129
129
130
130
> [!NOTE]
131
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled.
131
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model.
132
132
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
133
133
134
134
This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This may indicate that the user's account is compromised, that messages are being intentionally hidden, and that the mailbox is being used to distribute spam or malware in your organization.
135
135
136
136
### Suspicious email deletion activity (Preview)
137
137
138
138
> [!NOTE]
139
-
> As part of ongoing improvements to Defender for Cloud Apps alert accuracy, this policy has been disabled and renamed to **Suspicious email deletion activity**.
139
+
> As part of ongoing improvements to Defender for Cloud Apps alert threat protection capabilities, this policy has been disabled, migrated to the new dynamic model and renamed to **Suspicious email deletion activity**.
140
140
>
141
141
> If you previously configured governance actions or email notifications for this policy, you can re-enable it at any time in the Microsoft Defender portal > Cloud Apps > Policy management page.
0 commit comments