Testing policy - Potential ransomware activity, nothing happens

Pavel yannara Mirochnitchenko 12,411 Reputation points MVP

I am testing Cloud Apps Security and I want to launch potential threat in action. So the policy "Potential ransomware activity" is enabled for all users, computer is onboarded to Defender for Endpoint, and when I create locally .zyx file and copy it to OneDrive / Teams / Sharepoint, nothing happends. I would expect it would notify and suspend user but nothing. Activity and Governance log does not react on anything.

I started to study Cloud Apps just for now and what could be wrong? Services is running and integration with Defender for Endpoint is done. Maybe there is simplier rule I could try out?

User's image

Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
119 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 5,701 Reputation points MVP

    Hi Pavel,

    First I'd suggest you have your policy email you when triggered.

    You should be able to trigger this alert simply by renaming a file with the .xyz extension.

    Secondly, you won't get a user block unless you configure 'send alerts to power automate', and you have a power automate rule to block the user - that's more advanced to troubleshoot so I'd work on step #1 first.

    Finally, you should go into settings > cloud apps > app connectors and at least connect to M365 and Azure for your tests.

    And watch this video:

    0 comments No comments

  2. Pavel yannara Mirochnitchenko 12,411 Reputation points MVP

    I see that renaming works, but not upload. While opening this thread, I only copied .zyx files from C: drive to Onedrive and got no reactions. Later tried renaming and account got locked and alerts generated. Why with upload no reaction?

    0 comments No comments