Testing policy - Potential ransomware activity, nothing happens

Question

I am testing Cloud Apps Security and I want to launch potential threat in action. So the policy "Potential ransomware activity" is enabled for all users, computer is onboarded to Defender for Endpoint, and when I create locally .zyx file and copy it to OneDrive / Teams / Sharepoint, nothing happends. I would expect it would notify and suspend user but nothing. Activity and Governance log does not react on anything.

I started to study Cloud Apps just for now and what could be wrong? Services is running and integration with Defender for Endpoint is done. Maybe there is simplier rule I could try out?

Answer 1

Hi Pavel,

First I'd suggest you have your policy email you when triggered.

You should be able to trigger this alert simply by renaming a file with the .xyz extension.

Secondly, you won't get a user block unless you configure 'send alerts to power automate', and you have a power automate rule to block the user - that's more advanced to troubleshoot so I'd work on step #1 first.

Finally, you should go into settings > cloud apps > app connectors and at least connect to M365 and Azure for your tests.

And watch this video:
https://www.youtube.com/watch?v=ABo0xipheJo&ab_channel=JacksonFelden-CloudandSecurity

Answer 2

I see that renaming works, but not upload. While opening this thread, I only copied .zyx files from C: drive to Onedrive and got no reactions. Later tried renaming and account got locked and alerts generated. Why with upload no reaction?