Testing policy - Potential ransomware activity, nothing happens

Pavel yannara Mirochnitchenko 12,411 Reputation points MVP
2023-05-19T16:45:30.2466667+00:00

I am testing Cloud Apps Security and I want to launch potential threat in action. So the policy "Potential ransomware activity" is enabled for all users, computer is onboarded to Defender for Endpoint, and when I create locally .zyx file and copy it to OneDrive / Teams / Sharepoint, nothing happends. I would expect it would notify and suspend user but nothing. Activity and Governance log does not react on anything.

I started to study Cloud Apps just for now and what could be wrong? Services is running and integration with Defender for Endpoint is done. Maybe there is simplier rule I could try out?

User's image

Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
119 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. David Broggy 5,701 Reputation points MVP
    2023-05-19T17:50:20.02+00:00

    Hi Pavel,

    First I'd suggest you have your policy email you when triggered.

    You should be able to trigger this alert simply by renaming a file with the .xyz extension.

    Secondly, you won't get a user block unless you configure 'send alerts to power automate', and you have a power automate rule to block the user - that's more advanced to troubleshoot so I'd work on step #1 first.

    Finally, you should go into settings > cloud apps > app connectors and at least connect to M365 and Azure for your tests.

    And watch this video:
    https://www.youtube.com/watch?v=ABo0xipheJo&ab_channel=JacksonFelden-CloudandSecurity

    0 comments No comments

  2. Pavel yannara Mirochnitchenko 12,411 Reputation points MVP
    2023-05-20T10:19:22.0266667+00:00

    I see that renaming works, but not upload. While opening this thread, I only copied .zyx files from C: drive to Onedrive and got no reactions. Later tried renaming and account got locked and alerts generated. Why with upload no reaction?

    0 comments No comments