Alerting on OneDrive Deleted Item Activity

I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments.  Suppose this scenario exists:

  • Users are site collection administrators over their OneDrive for Business sites (default configuration)
  • Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
  • No retention policies are in effect for the target data (as all the data we're concerned with is technically older than 90 day creation or last modified date)
  • Malicious or disgruntled user deletes OneDrive data
    • Deletes data in OneDrive
    • Empties recycle bin
    • Empties second stage recycle bin

At this point, for any data older than 90 days, it is lost.

As part of the data resiliency brief, we do perform twice-daily backups that are retained for 14 days.

14 days is not a whole lot of time from a recovery / resilience perspective.  If you find yourself in the need to recover a OneDrive site collection from malicious activity (be it intentional, accidental, or malware), you need to know about it as soon as possible.  So, here we are.

I've put together some steps that you can read, modify, adopt, or scoff at that will alert you to potentially malicious activity in your tenant.  You can learn more about alerts here: https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies.

Create an Activity Alert (Alert Policy)

The activity alert is based on detecting particular entries in the audit log.  You can configure an alert trap several types activites, and they are configurable via both the UI and PowerShell.

User Interface

  1. Navigate to the Security & Compliance Center Audit Log Search at https://protection.office.com | Search & Investigation | Audit Log Search.
  2. Select the following activities to search for:
    1. Deleted file from recycle bin
    2. Deleted file from second-stage recycle bin
    3. Deleted folder from recycle bin
    4. Deleted folder from second stage recycle bin
  3. Click Search.
  4. Click +New alert policy to create a new alert policy based on your selected activities.
  5. Fill out a name, description, and select a email recipient to receive the alert, and click Save.

PowerShell

If you’re connected to the Security & Compliance PowerShell, you can also create the new activity alert this way:

 New-ActivityAlert -Name "First and Second Stage Recycle Bin" -Operation @('filedeletedfirststagerecyclebin','filedeletedsecondstagerecyclebin','folderdeletedfirststagerecyclebin','folderdeletedsecondstagerecyclebin') -NotifyUser "admin@undocumentedfeatures.onmicrosoft.com" -Severity High -Disabled $false -Description "Notify when items are deleted from first or second stage recycle bin" -Type Custom

Create a Protection Alert

You can also create an alert that triggers at a certain threshold (say, when a user deletes 50 files in 60 minutes—60 minutes is the minimum alert time, up to 10,000 minutes).

User Interface

  1. Navigate to https://protection.office.com/#/alertpolicies (https://protection.office.com | Alerts | Alert policies).
  2. Select +New alert policy
  3. Name your policy, set an alert severity level and type.  I chose “Medium” and “Data governance.”  Click Next.
  4. Under Activity is, start typing “Delete” in the activity window, and select Deleted file.
  5. Select +Add condition and select Site Collection URL from the drop-down list.
  6. Enter your OneDrive site collection library root, and append a * to the path.  For example, if your tenant name is sometenant.onmicrosoft.om, your OneDrive site collection URL will be https:// sometenant-my.sharepoint.com/personal/ by default.  You’ll put https://sometenant-my.sharepoint.com/personal/* in the box.
  7. Select thresholds and click Next.
  8. Configure recipients and notification limits and click Next.
  9. Confirm and click Finish.

PowerShell

If you want to configure this alert via PowerShell, you can connect to the Security & Compliance Center Powershell endpoint and run the following:

 New-ProtectionAlert -Operation FileDeleted -Filter "Activity.SiteUrl -like 'https://<tenantname>-my.sharepoint.com/personal/*'" -NotifyUser <recipient@domain.com> -Severity Medium -Threshold 50 -TimeWindow 60 -ThreatType Activity -Description "Deleted Item Threshold exceeds 50 in an hour" -AggregationType SimpleAggregation -Category DataGovernance -Disabled $false -Name "Deleted Item Threshold Reached"

After the policies take effect, you'll begin receiving alerts when these potentially malicious activities hit your tenant.