CISA.MS.EXO.16.1 - Alerts SHALL be enabled.
Overview
At a minimum, the following alerts SHALL be enabled:
- Suspicious email sending patterns detected.
- Suspicious Connector Activity.
- Suspicious Email Forwarding Activity.
- Messages have been delayed.
- Tenant restricted from sending unprovisioned email.
- Tenant restricted from sending email.
- A potentially malicious URL click was detected.
Rationale: Potentially malicious or service impacting events may go undetected without a means of detecting these events. Setting up a mechanism to alert administrators to events listed above draws attention to them to help minimize impact to users and the agency.
Remediation action:
- Sign in to Microsoft 365 Defender.
- Under Email & collaboration, select Policies & rules.
- Select Alert Policy.
- Select the checkbox next to each alert to enable as determined by the agency and at a minimum those referenced in the CISA M365 Security Configuration Baseline for Exchange Online which are:
- Suspicious email sending patterns detected.
- Suspicious connector activity.
- Suspicious Email Forwarding Activity.
- Messages have been delayed.
- Tenant restricted from sending unprovisioned email.
- Tenant restricted from sending email.
- A potentially malicious URL click was detected.
- Click the pencil icon from the top menu.
- Select the Enable selected policies action from the Bulk actions menu.
Related links
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.16.1 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaExoAlert |
| Tags | CISA, CISA.MS.EXO.16.1, MS.EXO, MS.EXO.16.1 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaExoAlert.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaExoAlert.ps1