Simplest way to be notified that a client has been compromised. (O365)

[thecomputerguy]

When a client gets compromised it's almost always the same story.

Link Clicked, Token Stolen, Logs with bad logins showing "previously satisfied", Rules configured, client is then notified by one of their clients they have been hacked.

Client notifies me.

I tried setting up an alert policy in security.microsoft.com to notify me when an Inbox-Rule is created but that option does not exist. The only option is to notify when a user creates a forward/redirect of mail.

This seems like such a trivial function I can't believe it isn't easier to configure.

My clients all use Business Standard/Business Premium

How can I be better notified when a client is compromised when FIDO keys & CA policies requiring intune registered compliant devices aren't an option?

@YeOldeStonecat @Sky-Knight

 

[YeOldeStonecat]

Yeah the built in alerts ...from Defender...EMail & Collab...Policies & Rules...Alert Policies.....those aren't bad.. Used those in the old days, sort of like a "poor mans SIEM" ...we'd have it fire off emails to our helpdesk email address.

And I can't believe the canned alert for "Creation of forwarding/redirect rule" is not at least 2 bars red..it's all gray like it's miminal...heh.
Although its counterpart..nearly similar rule...Suspicious EMail Forwarding Activity"..is all 3 bars red.

There is a rule called "EMail messages removed after delivery" which is close....covers a little bit of that gap.

But yeah we lean on the stack of tools now .....Huntress ITDR..and even Augmentt does lots of this.