eDiscovery

Office 365 Security & Compliance Center eDiscovery – Part 1: Overview of Content Search and Core eDiscovery

This entry is part 1 of 4 in the series Getting the most out of Office 365 Search

Part of my role over the last few years has been educating customers about how Office 365 eDiscovery works.  While we have lots of documentation on how things work, we don’t have a whole lot actually showing what it looks like in action (to know if you’re doing it right).… [ Continue reading ]

Configuration

DLP for Bitcoin Addresses

One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you’ve got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage.  You can create a DLP rule in the Office 365 Security & Compliance Center (or an Exchange Online transport rule) to try to combat this.… [ Continue reading ]

Configuration

Migrating from Exchange Online eDiscovery and In-Place Hold to the Security & Compliance Center

One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center.  Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]

Configuration

Alerting on OneDrive Deleted Item Activity

I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments.  Suppose this scenario exists:

  • Users are site collection administrators over their OneDrive for Business sites (default configuration)
  • Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
  • No retention policies are in effect for the target data (as all the data we’re concerned with is technically older than 90 day creation or last modified date)
  • Malicious or disgruntled user deletes OneDrive data
    • Deletes data in OneDrive
    • Empties recycle bin
    • Empties second stage recycle bin

At this point, for any data older than 90 days, it is lost.… [ Continue reading ]

Configuration

Looky, looky! Custom sensitive information types with even more customitivity!

So, of course, as soon as I finish up posting a few entries (here and here), we go and release a new UI to help you get it done on your own!

You can do most of the effort of creating a data classification here, although if you want to use any of our built in functions (such as credit card Luhn check), you’ll need to export/modify/import, use the sensitive information type package that I created (referenced earlier) or use one of our native DLP classifications.… [ Continue reading ]

Configuration

Sensitive Information Types–now with more sensitivity!

UPDATE: The file link for this post has been updated.

So, this is an entry that has been long in the making.  I have had several customers over the last few years give feedback about our Data Loss Prevention’s (DLP) matching requirements, mostly around how they require too much corroborating evidence (in the form of patterns or keywords) to meet their organization’s very restrictive policies.… [ Continue reading ]

Information

Update to the Get-UserHoldPolicies tool

While working with a customer last week, it came to my attention that the Get-UserHoldPolicies script I had put together to enumerate retention policies and eDiscovery cases that put a hold on content wasn’t displaying policies that were global.  The types of policies I checked for were enumerated in a user’s InPlaceHolds mailbox property, but apparently, that field is populated only if a Security & Compliance retention policy explicitly specifies the mailbox.… [ Continue reading ]

Identity

Let’s Go Phishing – Spear Phishing, That Is

Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users.  The Attack Simulator has three core components, each of which I’ll cover in a series:

  • Spear Phishing (Credential Harvest)
  • Brute Force Password (Dictionary Attack)
  • Password Spray Attack

For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]