▶️ MDS Modal improvement

The mobile devices and applications modal in the security dashboard has been revamped. We’ve added intuitive icons and revised the text for each device, providing clearer insights into active synchronizations on applications.

▶️ E-mail and Teams Bot notifications change

The new device notifications have been improved in order to be easily understood by the recipient :

▶️ User Lifecycle “test a user” option

A new “Test a User” button has been added in the Operation > User lifecycle menu, enabling  customer admins to test and identify which rules match a user’s email address.

▶️ New start date option of available countries

To facilitate alert management, we’ve introduced a start date feature on country settings. Now, if an end-user is expected to travel to a country outside their usual location, admins can proactively add the country with a delayed start date. This prevents unnecessary alerts when the user connects from the new location.

Note that admins will only have to set the days of connection, and not the hours

▶️ Improved User Permissions Visibility

Users can now easily identify permissions by displaying email addresses under each username when the email is not yet available, preventing confusion between homonyms or external email addresses :

▶️ Call-to-Action Remediation Modals Enhancement

We’ve made the call-to-action remediation modals more accessible, by making them lighter with only essential elements for an improved user experience.

▶️ Viva Engage available in MyDataSecurity

In line with recent changes, we’ve updated the name of the feature on our application from “Yammer” to “Engage.”

▶️ Bug fixes

We’ve addressed various bugs related to search files and persistent operations after successful remediations on locations.

▶️ Expert platform enhancement

On the monitoring tab, we’ve added a “Last Sync Date” column for all shares on a file server.

▶️ Permission Explorer update

Users can now customize columns with the “Date of Last Synchronization” option in the “Customized Columns” menu.

▶️ General Overview

For users with more than 100 collaborative resources, we’ve added a light-mode display, presenting the Sharepoint sites list as a table format. This improvement will significantly improve the loading time of the MDS pages.

▶️ Expert Platform Enhancements:

Delete a File Server:

Manage file servers efficiently with a new feature in the Expert platform, allowing the removal of file servers.

Delete a LEM in Monitoring/Machines:

Similar to file servers, efficiently manage machines and Distant LEM with a feature to remove machines.

Improvement of the Premium alert management process:

• To simplify the alerts follow up, the state filter “pending” evolves in Expert to target “awaiting change” and “awaiting feedback” status. The pending state will be available only if the resource service is Premium. A notification will be sent to alert AMT/ Security Team that the user has report an anomaly.
• The state filter “pending” evolves in Expert to have “awaiting change” state and “awaiting feedback”. The pending state will be available only if the service is set to Premium.
  A notification will be sent to alert AMT/ Security Team that the user has report an anomaly.

▶️ Outlook tab

• 2 new attention points have been introduced on the Outlook tab :
  • The “send as” permissions set on the user’s mailbox

• • Inbox rules with emails deletion set on the user’s mailbox.

In addition, the points of attention for inbox rules are now grouped in the “Sensitive inbox rules” section : you will find here the rules folded by category (Unconditional email deletion, Conditional email deletion, External forwarding)

• For a better clarity, the “Folders” tab has been deleted

▶️ Home page : operations history

• Simplification of the operations history display :

Operation History is now consolidated into a single, easily accessible page rather than a specific modal, providing a more user-friendly interface and an easier access to information.

• Users can now track the history of their profile validations. This update allows users to conveniently identify the last time they validated their profile, promoting better profile management and accountability. NB : If the “hide my attention points” is enabled for your tenant, this will also appear in the general history.

▶️ Filers tab

• Users can now browse the members within the groups with granted permissions

To facilitate management of sharing permissions associated with groups, users has now the visibility on the group members before removing granted permissions. Users can now review the group members they are about to remove, enabling more informed decision-making and preventing accidental removal of permissions.

▶️ General overview

• A new configuration setting is now available : customize default calendar settings permitted by your organization. This feature allows administrators to specify calendar default sharing settings within the organization (e.g. can “view titles and locations”), preventing the triggering of unnecessary attention points. In addition, a user will not be able to decrease the sharing setting below the configured level.

▶️ General overview

In order to keep up to date with our customers user bases, we are bringing improvements to the way IDECSI manages the continuous protection process of resources :

• Any user who doesn’t match the scope of an active automatic protection rule will have his resources unprotected and will be moved to a dedicated IDECSI Org Unit
• As soon as a user’s Entra ID (former Azure AD) account is disabled or deleted in the customer tenant, his resources will be unprotected and he will be moved to a dedicated IDECSI Org Unit

No actions are needed from the customers to set up this process. This will be handled by your customer success manager.

▶️ General overview

• On MyDataSecurity :  the “operation in progress” tag displayed after a remediation requested on Outlook will now disappear as soon as the operation is done, following the current workflow of remediation tags for OneDrive, Sharepoint, Teams, Yammer and Filers.
• On MyDataSecurity : Previously masked attention points concerning shared sensitive items will not reappear when a new sensitive item is shared

▶️ Global overview

▶️ Global overview

• For a smoother experience, we have enabled the multi selection of Organisation Units in Idecsi Expert interface for available operations (campaigns, protections, audits, etc..)

▶️ Global overview

• In MyDataSecurity : Just like on his mailbox, Teams or Sharepoint sites, a user is able to perform remediation on his fileshare resources to remove some unwanted permissions

• In the Permission Explorer interface : admins are now able to remove permissions given to a group or a user on an item (file / folder / fileshare)

▶️ Global overview

New datasets and PowerBI dashboards are available for IDECSI admins, allowing for a better follow up of the deployment on your tenant.

Here are some examples of new data available in the reports :

Please contact your customer success manager for further information.

▶️ Several UX and functional improvements have been made to the IDECSI Teams Bot

More Teams notifications were added to support other alert types :

All the alerts notifications are now also available in the auto-close mode

▶️ Function overview

The Search function enables users to quickly find sensitive shared files or a specific file and delete the permissions granted on it.

This search bar replaces the filter bar on user name.

📒Note: The search bar is ONLY available on a desktop. On a mobile, the search function is a filter on a username (old search).

Search bar

The Search bar is always available on the header of the MyDataSecurity application, on all screens (except the support screen).

By default, clicking on the search bar will display a quick search links with predefined list of filters :

• Files shared with anyone with link
• Files shared with the whole company

If clicked it will redirected the user on the results page  with filters applied (like files with anonymous links)

Results page

Results page table

The result page shows only items with unique permissions, and not those with direct permissions or share links inherited from a folder or document library, as explained in the banner.

Filters

A search function is added at the top of the table, enabling the user to add filters and better find files.

Filters are cumulative, so several filters can be added together.

Detailed file page

When clicking on one of the file from the results page, it opens a File page (or Folder page).

To remove permission, the user can click on the permission to remove it.

By default, only owners will be assigned as manager in IDECSI applications.

• From August, deactivated users or users who lose the ownership of a collaborative resources will be removed of the management
• An option will enable admin in Expert or end-users in MyDataSecurity to assign manually a non owner user). In this case, the manager will not be removed automatically except if he is deactivated

▶️ Reminder : Automatically reassign a resource if the user loses his / her owner rights

Here are the list of cases of losing automatically the management of the resource:

• As a user, I will lose the management of a resource if I lose the Ownership of the resource (from MS or from MDS removal). A new manager will be assigned with the Auto-import process (take the first owner in the list given from Microsoft)
• As a user, I will lose the management of a resource if my account is deactivated. A new manager will be assigned with the Auto-import process.
• If no Owner exists, no manager will be assigned. Normally this case should not happen as the last owner cannot be removed;

▶️ New : Manually assign or remove a new manager of the ressource (owner or user) on Expert platform

As an admin in Expert, I want to manually assign or remove resources to other owners or other users.

Function overview

With the release 4.57, we implemented the ability for any customer admininistrator with access to the Expert application to reassign or remove the manager of the ressource.

Where to find it ?

In order to do so, open the resource page whose manager you want to detach, and click on the arrow button next to the owner name:

A new modal appears with the ability to either :

• select a new manager from the list of owners,
• select a new manager from the list of users.
• Remove the current owner

• A color: green, orange, red
• An icon from the list of icons available in MyDataSecurity
• A title and a message (in markdown: with formatting, adding link and image possible)

Note 1:  banner mechanism will also be used in the future to display personalized messages for users (either manually by the administrators or automatically).

Note 2: As for other customizations, the banner can be scoped on Users, Instances, or Organization Units.

• Labels considered as “sensitive” will always be displayed in red
• Other labels will be displayed in grey

• (coming soon) Owner of the shared or private channel if applicable
• Microsoft 365 Group Owner if applicable
• SharePoint site owner
• Member of a group with Full Control rights on the SharePoint site
• User with Full Control rights on the SharePoint site
• Site Collection Administrator

• Users belonging to an automatic operation policy with a high priority level will be evaluated first
• Among these users, potential Business Owners will be prioritized according to their rights level:
  • (coming soon) Owner of the shared or private channel if applicable
  • Microsoft 365 Group Owner if applicable
  • SharePoint site owner
  • Member of a group with Full Control rights on the SharePoint site
  • User with Full Control rights on the SharePoint site
  • Site Collection Administrator
• Among these users, the first user given by the protected collaboration platform will be selected to be Business Owner

• Display of a red dot at the level of the files concerned by a point of attention

• When a user reports an access made from a new country, the country is hidden and the Operation done label no longer appears. The country report is still present in the Operations History.
• Add the date of last access for a country
• The “Operation done” labels no longer appear for countries reported to the security teams

• Merge of the View and Remove tabs in the different modal windows
• Modal windows are now centered at the page level
• When a security group is not yet collected, we precise it instead of writing that it is empty.

• Image or color for the background
• Between 1 or 5 links
• Each link must meet the different criteria: title with less than 50 characters, url
• An icon can be set for each link among a predefined list. It is possible to add new icon from the Fontawesome base, but not a customized image. Note that the supported version of Fontawesome is the v5.

• Title: Hide my points of attention
• Configuration modal: You are about to hide your points of attention. This means that all of the risky items listed below are legitimate (including permissions on your mailbox, sharing links, sharing of sensitive data, and different countries of connection).
• Confirmation button: Confirm
• Confirmation modal: All the points of attention are considered legitimate

• Avoid the multiplication of OUs with a very fine mesh to meet the needs of administration, customization of uses, and security policies.
• Grouping of people independently of their belonging to an entity or an IT local (e.g.: France country, all members of the Finance departments).

• Actual Organization Unit Id
• Actual Organization Unit Full Name
• Expected Organization Unit Id
• Expected Organization Unit Full name
• User I2A Id
• User I2A Full name
• UPN
• Display Name
• Provider Instance Id
• Provider Instance Name
• Provider Type
• Resource Name
• Result
• Current Status
• Expected Status

• The number of attention points displayed for each resource is hidden, in preference to a red dot positioned on the resource icon
• The translations have been improved
• The button “Browse all” on the home page was removed, and the browsing per category was improved.

• The operations history was improved.
• A global operations history is now available on the home page.

• The label “Operation done” is progressively removed for the users for which a permission was removed on a specific document
• All resources are now collapsed by default (except if there is only one resource)

• Expert
• MyDataSecurity
• Permission Explorer

• Environment: Provider Instance (ex: Office 365 – Intranet, Office 365 – Mailbox)
• Operation type: Automatic or Manual
• Identity: Identity used in the operation (ex: user principal name for automatic operations)
• Creation date min
• Creation date max
• Status: Pending, In progress, Partial, Complete, Cancelled, Failed

It is now possible to collect Directory Attributes, in addition to Extension attributes (1-15) from Azure AD for each user (except Open Extension, Schema Extension, Custom Security Attributes).

Please note: Custom attributes are configurable via a support request only today. Evolution will be planned during the first half of 2023 to propose an interface to define the custom attributes to collect.

For example, the Manager id is now collected from Azure AD users. Also, the “EmployeeType” and “OfficeLocation” fields are collected for all Azure AD tenants and will now be displayed in Permission Explorer.

Protection and Audit jobs ran from the “Operations” menu are now automatically retried 3 times every 20 minutes to workaround Microsoft API behavior in case of failure and before giving the “failed” status available to I2A Administrators.

Any risky configurations or overexposed data are now highlighted within a new section “Warnings” at the beginning of My Profile and in the menu with badges.

Expanding the Warnings section will show related details

This feature is configurable so please contact your Client Success Manager if you wan’t to add it.

We added a new button into the MyProfile page. It can be used to provide a link to your knowledge base, online help or user guide.

It allows customisation of
– its icon
– its URL target

Please feel free to contact your Client Success team in order to customise this change.

IDECSI’s platform now collects metadata from Microsoft Information Protection in order to display sensitivity “labels” per file. It offers several use cases :

• Sensitivity information is given to the end user in the context of its usage, which helps to pinpoint faster potentially sensitive and overexposed data.

• Identify shared sensitive files and their permissions across the whole monitored environment

• Alert on actions involving sensitive data (new share, new permission, new access, …)
• Audit and alert on any change made by an admin regarding sensitivity labels thru Microsoft Office 365 Compliance dashboard

Technical view of the configuration object storing labels configuration. The object is permanently audited, any change or tentative of compromise could rise an alert.

• Audit any user labelling activities onto files

Please feel free to contact your Client Success Team or your Sales Engineer.

We are now able to block an Azure Active Directory user account as incident response to an alert (i.e : impossible travel, simultaneous access).

SharePoint sites displayed to MyProfile users now integrate “Lists” as part of the SharePoint site hierarchy.

Company, Anonymous, Guest links created with OneDrive, Teams or SharePoint as well Exchange’s default permission object, are now highlighted in red.

This feature is customisable to your internal policy (for instance if you consider such case is part of your organisation’s best practices).

Below is a sample of OneDrive and Mailbox view :

Please feel free to reach your Client Success team.

In order to provide security teams additional visibility on the protected resources and their activity, we developed a new section on the Expert platform on which you can monitor the dates of the last activities on the resources.

This feature is particularly interesting if you want to know if there are unused resources among those which are collected by IDECSI.

In order to access the new section, click on the “Monitoring” link on the left as showed in the image; then apply the filters for a more precise research.

Once the research is done, you can also export it to .csv format by clicking on the export button.

There are several scenarios for which O365 administrators have to interact with user’s resources, and for security teams it’s sometimes difficult to obtain information about admin’s actions when needed;  so we have improved our capability to detect O365 Administrators operations in order to help you.

You can now decide to be alerted, or flag as safe, some operations made by admins, thanks to a new option added on the “Username” condition when create a policy.

Please feel free to reach out your Client Success Manager if you need help to deploy rules or to update the existing ones.

All the IDECSI products are finally available in german.

By changing the communication language in german, all the IDECSI products (Expert Platform, MyProfile, Alert Answer, …) will be translated, and all the communication support as well.

We improved our protection system allowing IDECSI administrators to start the protection of the main resources of the Office365 suite.

If you want to start protecting a user’s mailbox, you can select two additional options allowing you to add the OneDrive and AzureAD resources as well.

Thanks to valuable feedback from our customers, a few bugs have been fixed and some visual or performance improvements have been made.

If you want to make suggestions about our product, you can use our Fetaure Requests page here: https://extranet.idecsi.com/feature-requests/

In order to improve our customer experience for end users deployments, we now provide to our customers the possibility to close opened alerts after a certain time automatically. So the user is no longer required to answer systematically, as the alerts with no answer will be automatically closed, and users can focus on alerts which require their attention.

This feature is fully configurable, you can either decide to close an alert after one or more reminders are sent for the same alert, or after a defined time-frame.

This option is available on users access and users configuration alerts, not on global configuration alerts and alerts raised from user’s feedback (Invalid state report).

The alerts automatically closed will be considered as valid on the IDECSI platform and the event which have triggered the alert as legitimate.

As the feature is inactive by default, we invite you to contact your Client Success Manager for implementation.

Learning phase is one of the key features of the IDECSI platform, as it provides a unique profile for each protected user, based on its accesses and configuration.

So we decided to make this procedure more flexible, allowing you to restart a learning phase for users in an easier and configurable way.

On the user’s Summary page, simply click on the icon as in the image below:

Then select the start date and for how many days you want the data to be considered for the profile creation.

Our engine will analyze the datasets provided for the time-frame, and create the profile accordingly, removing all the obsolete rules, devices and permission for the user, and creating new ones.

If a notification rule has been set up for users to receive a MyProfile email at the end of the learning phase, a notification will be sent at the end of each learning phase. Please contact your Customer Success Manager if you need assistance.

We really believe that the Data Collected page provides real value to our customers in terms of visibility and forensics on the O365 events, so we are improving this module to make your life as simple as possible.

Two additional filters have been added, allowing you to filter Collected Data by IP address or IP Origin.

This new feature provide an interface where customers can manage their MyProfile campaigns and set up several parameters for automatic send of MyProfile emails. You can access this from the “Operation” section in your Expert platform.

We invite you to contact your Client Success Manager for the implementation of your first campaign.

In order to provide to our customers visibility on alert’s activity on IDECSI, we now provide a data flow, which can be consulted on PowerBI.

For now, we are able to provide information on Users, Alerts and Applications.

For more information, please contact a member of the Client Success team.

In a context where SharePoint libraries are automatically protected by IDECSI, you can now define a user by default to which these libraries will be attached to.

The SharePoint libraries can be consulted on the user’s Summary page and MyProfile.

Once attached to the user’s profile, it will be possible to reassign those libraries to other users directly from the Expert platform or MyProfile.

End users can now update their general information (email, phone number, timezone, …) directly from their MyProfile.

In I2A some types of alerts are related to Configuration Objects. (Inbox Rules, Applications Permissions, Sharing Set, …)

When you close an alert related to one of these objects, they will be automatically collected and updated, providing you the latest version of it instantly, instead of waiting the scheduled daily collection.

Since end-users can access their data through MyProfile, and report an anomaly such as an old delegation, it’s important that their profile is constantly updated, especially if the change is originated by their feedback.

Due to the fact that mobile devices are nomads by design and can switch network and localization very quickly and unpredictably, we decided to exclude the logs related to these from the calculations for the Geo-localization.

By doing this, we improved our Geo-localization by focusing on reliable sources of information, increasing the precision of all the rules related to this such as the “Move too Fast” and “Simultaneous“.

This update provides general graphic and wording improvements and more details about the protected resources such as the Owners list of a SharePoint library or more details on each Exchange permission.

Customers can now customize colors of MyProfile web page. Check this with your Client Success Manager for more information.

If you have suggestions and ideas about MyProfile and IDECSI in general, please submit it to our “Feature Request” page: https://extranet.idecsi.com/feature-requests/

It’s very important to have visibility on SharePoint libraries, but it’s very hard to track all the membership and ownership for each library.

End-users can now inform the team in charge to whom belongs the SharePoint Library for which they’ve been assigned as owners, simply by clicking the button “not belong to me” and selecting another person from the list.

If the owner of the SharePoint Library do not appear in the list, they can still search it in the “Search for another user” section and it will be reported to the people involved.

In case the SharePoint Library is not used anymore, they can report it by clicking the “Delete” button. (It won’t delete the SharePoint Library of course, but just inform the people in charge)

When a user accidentally activates the “Folder Visible” option on his mailbox on its Default Permission, it might generate several false positives alerts based on accesses, due to Microsoft activity on the resource. 
 
These are not real accesses, as it’s not possible to access the mailbox only by activating the “Folder Visible” option without assigning a higher permission (author, owner, reader, …); that’s why now IDECSI mask these accesses and will not generate the delegate on the MyProfile page of the user.

When a user opens an alert from its SMS/Email link, and this one have been previously closed, it will display with a new green header informing the user that no action is required.

Since IDECSI can now collect more configuration objects from different types of resources (Mailbox, OneDrive, Teams, Sharepoint, …) we created a search bar in the Expert Platform for the names of the configuration objects so customers can easily find a specific one without having to filter on the type/name of the resource.

In the past, the IDECSI platform used to create Permissions for delegates accessing the protected resources by analyzing the accesses in the last three weeks. So if a legitimate delegate didn’t access during this period, no Permission would have been created. 
 
The system has evolved and now their Permissions are created based on the accesses AND the configuration objects, specifically all the delegates found in the “Mailbox Folder Permission”. 
This will avoid false positives based on the fact that if a legitimate delegate access a protected resource AFTER the creation of the Permissions, this will trigger an alert.

It’s now possible to set up a notification rule pour end-users, allowing them to receive a notification when a new comment on their alert is made, or when an alert has been closed by someone else. (Security Team, assistant, …)
 
Deploying this allows you to create a direct link between end-users and security teams, as they can both receive notification when a new comment is made on an alert.

Please note that this is an optional feature and it won’t be activated by default.

You can now customize the headers of all our products (MyProfile, Alert Answer, Expert platform, OnePage Report) with a logo and a name:

The header can be also customized on all the emails sent by IDECSI.

To deploy these customizations thank you to contact your Client Success Manager.

Idecsi has deployed the automatic import of delegates (users which do not benefit from continuous protection such as personal assistants and service accounts) in order to strenghten the protection around the protected users by preventing accesses made by compromised delegates accounts.

Now you can set up rules in order to be alerted in the event of a delegate’s connection to a protected resource from unusual countries or unusual protocol. (IMAP/POP/…)

At the end of the learning phase, all the delegates which had accessed to a protected resource during the learning phase will be automatically imported by IDECSI and a profile created for each.

All the delegates will be imported by default in the company OU (root).
In case you prefer that your delegates are imported into a different OU,  you can ask your Client Succes Manager to change it.

IDECSI is now able to detect when a login to Office 365 fails. If it occurs from an unusual country, it will appear on  MyProfile for the I2A administrators.

However, this information will not appear for the End-Users consulting their MyProfile.

Please note that a country from which we detected a failed login will never be registered as “Usual Country” on the IDECSI platform.

For Office 365 environments, a new alert rule has been deployed on the Global resources which monitor the brute force attacks.

If someone fails accessing its Office 365 account more than one time in a determined period (6 hours by default), IDECSI will alert you instantly.

At the end of the learning phase, the end-user will receive the link to the MyProfile page.

Once he has confirmed that all the information are correct, the IDECSI platform will automatically update the profile based on all information validated by the user. In case of an anomaly reported by the user, no update will be made for the related information.

The system will automatically create permissions for legitimate delegates, it will register legitimate mobile devices and usual countries.

When a Mailbox Folder Permission right which have been previously assigned is downgraded, IDECSI do no longer send an alert for this type of configuration change.

Ex. VIP 1 previously assigned Owner rights on his calendar for Delegate 1. VIP 1 decides to switch the right level from Owner to Author.

This would usually trigger an alert because of the configuration change, but as the Author right is inferior to the Owner right, it won’t happen.

In terms of security, downgrading a right is rarely dangerous for a protected user.

To prevent end-users to receive alerts which are non-relevant and for which it would be impossible for them to answer, some of the logs collected by IDECSI are now flagged as “technical“.  (Ex. access made by local admin accounts or by Microsoft service accounts)

In the “Usual Countries” menu, you have now the possibility to select all the countries and easily remove all of them:

It’s now possible to select a group of countries per continent:

A button now allows you to reset the filters on the screen of the collected data.
A new filter has been added allowing to filter logs from a specific country. The drop-down list appears by clicking “Open Advanced Search”.

When a resource is displayed, it is now specified the instance of the latter, allowing them to be distinguished. Icons have been added to provide one-click access to the collected data and administration objects of the displayed resource.

It is now possible to add a custom logo to OnePage reports.

In order to do this, please provide a logo in png 300px * 100px format to your Idecsi contact.

Until now, when a new sharing was done on a resource (One Drive, SharePoint, Teams, etc…) or a new delegation configured on an email, the I2A platform issued two separate alerts:  

• An alert for a change of rights or new sharing 
• An access alert, the first time the beneficiary of the sharing or delegation accessed the resource. 

I2A is now able to merge the two operations in order to avoid issuing the access alert.

The security team can now configure the creation of an alert as soon as a new application accesses a protected resource (for example LinkedIn that accesses your contacts)

Among the choices of the “Connected user” predicate present, the “an application” option is added. If this option is configured, an alert will be generated in case of access by any third party application to the resources.

If a mailbox is disabled in Exchange, protection within I2A for the same resource will be disabled automatically, so it’s no longer necessary to wait for the information and manually disable the protection in I2A.

In email notifications for an “Unusual Access” alert you will now find the country predicate among the available information, allowing you to have an additional element regarding the context of the event that generated the alert.

Improved automatic telephone number retrieval in I2A.

Fixed bug concerning the “Role groups” field when exporting to the “Users” section of I2A.

In Azure AD, alerts following the addition of applications or the addition of permissions for applications

For Azure AD groups, alerts in the event of addition or modification of permissions for a linked protected resource (eg. adding an owner in Teams)

Alerts following changes in SharePoint and OneDrive sharing policies (eg. allowing anonymous sharing on the tenant)

Alerts following E-Discovery actions via Content-Search

Separation of SharePoint / OneDrive sharing alerts into internal / external subtypes

Taking into account the expiration date of anonymous sharing in SharePoint / OneDrive (if the user closes an alert regards time-limited anonymous sharing, new anonymous sharing after the time limit will be alerted)

Updated text in alerts for protected users

Richer modification and stopping options for learning, protection, Permanent Audit or Audit.

Addition of Azure AD groups and their members to OnePage and Excel audit reports for SharePoint

For SharePoint lists associated with an Azure AD group (via Teams), we will attempt to link the resource to one of the owners of the group

Improvement of the “repeated actions” predicate (eg LoginFailed on Azure AD resource)

Added expiration date for usual countries (as an option).

• A color: green, orange, red
• An icon from the list of icons available in MyDataSecurity
• A title and a message (in markdown: with formatting, adding link and image possible)

Note 1:  banner mechanism will also be used in the future to display personalized messages for users (either manually by the administrators or automatically).

Note 2: As for other customizations, the banner can be scoped on Users, Instances, or Organization Units.

• Labels considered as “sensitive” will always be displayed in red
• Other labels will be displayed in grey

• (coming soon) Owner of the shared or private channel if applicable
• Microsoft 365 Group Owner if applicable
• SharePoint site owner
• Member of a group with Full Control rights on the SharePoint site
• User with Full Control rights on the SharePoint site
• Site Collection Administrator

• Users belonging to an automatic operation policy with a high priority level will be evaluated first
• Among these users, potential Business Owners will be prioritized according to their rights level:
  • (coming soon) Owner of the shared or private channel if applicable
  • Microsoft 365 Group Owner if applicable
  • SharePoint site owner
  • Member of a group with Full Control rights on the SharePoint site
  • User with Full Control rights on the SharePoint site
  • Site Collection Administrator
• Among these users, the first user given by the protected collaboration platform will be selected to be Business Owner

• Display of a red dot at the level of the files concerned by a point of attention

• When a user reports an access made from a new country, the country is hidden and the Operation done label no longer appears. The country report is still present in the Operations History.
• Add the date of last access for a country
• The “Operation done” labels no longer appear for countries reported to the security teams

• Merge of the View and Remove tabs in the different modal windows
• Modal windows are now centered at the page level
• When a security group is not yet collected, we precise it instead of writing that it is empty.

• Image or color for the background
• Between 1 or 5 links
• Each link must meet the different criteria: title with less than 50 characters, url
• An icon can be set for each link among a predefined list. It is possible to add new icon from the Fontawesome base, but not a customized image. Note that the supported version of Fontawesome is the v5.

• Title: Hide my points of attention
• Configuration modal: You are about to hide your points of attention. This means that all of the risky items listed below are legitimate (including permissions on your mailbox, sharing links, sharing of sensitive data, and different countries of connection).
• Confirmation button: Confirm
• Confirmation modal: All the points of attention are considered legitimate

• Avoid the multiplication of OUs with a very fine mesh to meet the needs of administration, customization of uses, and security policies.
• Grouping of people independently of their belonging to an entity or an IT local (e.g.: France country, all members of the Finance departments).

• Actual Organization Unit Id
• Actual Organization Unit Full Name
• Expected Organization Unit Id
• Expected Organization Unit Full name
• User I2A Id
• User I2A Full name
• UPN
• Display Name
• Provider Instance Id
• Provider Instance Name
• Provider Type
• Resource Name
• Result
• Current Status
• Expected Status

• The number of attention points displayed for each resource is hidden, in preference to a red dot positioned on the resource icon
• The translations have been improved
• The button “Browse all” on the home page was removed, and the browsing per category was improved.

• The operations history was improved.
• A global operations history is now available on the home page.

• The label “Operation done” is progressively removed for the users for which a permission was removed on a specific document
• All resources are now collapsed by default (except if there is only one resource)

• Expert
• MyDataSecurity
• Permission Explorer

• Environment: Provider Instance (ex: Office 365 – Intranet, Office 365 – Mailbox)
• Operation type: Automatic or Manual
• Identity: Identity used in the operation (ex: user principal name for automatic operations)
• Creation date min
• Creation date max
• Status: Pending, In progress, Partial, Complete, Cancelled, Failed

It is now possible to collect Directory Attributes, in addition to Extension attributes (1-15) from Azure AD for each user (except Open Extension, Schema Extension, Custom Security Attributes).

Please note: Custom attributes are configurable via a support request only today. Evolution will be planned during the first half of 2023 to propose an interface to define the custom attributes to collect.

For example, the Manager id is now collected from Azure AD users. Also, the “EmployeeType” and “OfficeLocation” fields are collected for all Azure AD tenants and will now be displayed in Permission Explorer.

Protection and Audit jobs ran from the “Operations” menu are now automatically retried 3 times every 20 minutes to workaround Microsoft API behavior in case of failure and before giving the “failed” status available to I2A Administrators.

Any risky configurations or overexposed data are now highlighted within a new section “Warnings” at the beginning of My Profile and in the menu with badges.

Expanding the Warnings section will show related details

This feature is configurable so please contact your Client Success Manager if you wan’t to add it.

We added a new button into the MyProfile page. It can be used to provide a link to your knowledge base, online help or user guide.

It allows customisation of
– its icon
– its URL target

Please feel free to contact your Client Success team in order to customise this change.

IDECSI’s platform now collects metadata from Microsoft Information Protection in order to display sensitivity “labels” per file. It offers several use cases :

• Sensitivity information is given to the end user in the context of its usage, which helps to pinpoint faster potentially sensitive and overexposed data.

• Identify shared sensitive files and their permissions across the whole monitored environment

• Alert on actions involving sensitive data (new share, new permission, new access, …)
• Audit and alert on any change made by an admin regarding sensitivity labels thru Microsoft Office 365 Compliance dashboard

Technical view of the configuration object storing labels configuration. The object is permanently audited, any change or tentative of compromise could rise an alert.

• Audit any user labelling activities onto files

Please feel free to contact your Client Success Team or your Sales Engineer.

We are now able to block an Azure Active Directory user account as incident response to an alert (i.e : impossible travel, simultaneous access).

SharePoint sites displayed to MyProfile users now integrate “Lists” as part of the SharePoint site hierarchy.

Company, Anonymous, Guest links created with OneDrive, Teams or SharePoint as well Exchange’s default permission object, are now highlighted in red.

This feature is customisable to your internal policy (for instance if you consider such case is part of your organisation’s best practices).

Below is a sample of OneDrive and Mailbox view :

Please feel free to reach your Client Success team.

In order to provide security teams additional visibility on the protected resources and their activity, we developed a new section on the Expert platform on which you can monitor the dates of the last activities on the resources.

This feature is particularly interesting if you want to know if there are unused resources among those which are collected by IDECSI.

In order to access the new section, click on the “Monitoring” link on the left as showed in the image; then apply the filters for a more precise research.

Once the research is done, you can also export it to .csv format by clicking on the export button.

There are several scenarios for which O365 administrators have to interact with user’s resources, and for security teams it’s sometimes difficult to obtain information about admin’s actions when needed;  so we have improved our capability to detect O365 Administrators operations in order to help you.

You can now decide to be alerted, or flag as safe, some operations made by admins, thanks to a new option added on the “Username” condition when create a policy.

Please feel free to reach out your Client Success Manager if you need help to deploy rules or to update the existing ones.

All the IDECSI products are finally available in german.

By changing the communication language in german, all the IDECSI products (Expert Platform, MyProfile, Alert Answer, …) will be translated, and all the communication support as well.

We improved our protection system allowing IDECSI administrators to start the protection of the main resources of the Office365 suite.

If you want to start protecting a user’s mailbox, you can select two additional options allowing you to add the OneDrive and AzureAD resources as well.

Thanks to valuable feedback from our customers, a few bugs have been fixed and some visual or performance improvements have been made.

If you want to make suggestions about our product, you can use our Fetaure Requests page here: https://extranet.idecsi.com/feature-requests/

In order to improve our customer experience for end users deployments, we now provide to our customers the possibility to close opened alerts after a certain time automatically. So the user is no longer required to answer systematically, as the alerts with no answer will be automatically closed, and users can focus on alerts which require their attention.

This feature is fully configurable, you can either decide to close an alert after one or more reminders are sent for the same alert, or after a defined time-frame.

This option is available on users access and users configuration alerts, not on global configuration alerts and alerts raised from user’s feedback (Invalid state report).

The alerts automatically closed will be considered as valid on the IDECSI platform and the event which have triggered the alert as legitimate.

As the feature is inactive by default, we invite you to contact your Client Success Manager for implementation.

Learning phase is one of the key features of the IDECSI platform, as it provides a unique profile for each protected user, based on its accesses and configuration.

So we decided to make this procedure more flexible, allowing you to restart a learning phase for users in an easier and configurable way.

On the user’s Summary page, simply click on the icon as in the image below:

Then select the start date and for how many days you want the data to be considered for the profile creation.

Our engine will analyze the datasets provided for the time-frame, and create the profile accordingly, removing all the obsolete rules, devices and permission for the user, and creating new ones.

If a notification rule has been set up for users to receive a MyProfile email at the end of the learning phase, a notification will be sent at the end of each learning phase. Please contact your Customer Success Manager if you need assistance.

We really believe that the Data Collected page provides real value to our customers in terms of visibility and forensics on the O365 events, so we are improving this module to make your life as simple as possible.

Two additional filters have been added, allowing you to filter Collected Data by IP address or IP Origin.

This new feature provide an interface where customers can manage their MyProfile campaigns and set up several parameters for automatic send of MyProfile emails. You can access this from the “Operation” section in your Expert platform.

We invite you to contact your Client Success Manager for the implementation of your first campaign.

In order to provide to our customers visibility on alert’s activity on IDECSI, we now provide a data flow, which can be consulted on PowerBI.

For now, we are able to provide information on Users, Alerts and Applications.

For more information, please contact a member of the Client Success team.

In a context where SharePoint libraries are automatically protected by IDECSI, you can now define a user by default to which these libraries will be attached to.

The SharePoint libraries can be consulted on the user’s Summary page and MyProfile.

Once attached to the user’s profile, it will be possible to reassign those libraries to other users directly from the Expert platform or MyProfile.

End users can now update their general information (email, phone number, timezone, …) directly from their MyProfile.

In I2A some types of alerts are related to Configuration Objects. (Inbox Rules, Applications Permissions, Sharing Set, …)

When you close an alert related to one of these objects, they will be automatically collected and updated, providing you the latest version of it instantly, instead of waiting the scheduled daily collection.

Since end-users can access their data through MyProfile, and report an anomaly such as an old delegation, it’s important that their profile is constantly updated, especially if the change is originated by their feedback.

Due to the fact that mobile devices are nomads by design and can switch network and localization very quickly and unpredictably, we decided to exclude the logs related to these from the calculations for the Geo-localization.

By doing this, we improved our Geo-localization by focusing on reliable sources of information, increasing the precision of all the rules related to this such as the “Move too Fast” and “Simultaneous“.

This update provides general graphic and wording improvements and more details about the protected resources such as the Owners list of a SharePoint library or more details on each Exchange permission.

Customers can now customize colors of MyProfile web page. Check this with your Client Success Manager for more information.

If you have suggestions and ideas about MyProfile and IDECSI in general, please submit it to our “Feature Request” page: https://extranet.idecsi.com/feature-requests/

It’s very important to have visibility on SharePoint libraries, but it’s very hard to track all the membership and ownership for each library.

End-users can now inform the team in charge to whom belongs the SharePoint Library for which they’ve been assigned as owners, simply by clicking the button “not belong to me” and selecting another person from the list.

If the owner of the SharePoint Library do not appear in the list, they can still search it in the “Search for another user” section and it will be reported to the people involved.

In case the SharePoint Library is not used anymore, they can report it by clicking the “Delete” button. (It won’t delete the SharePoint Library of course, but just inform the people in charge)

When a user accidentally activates the “Folder Visible” option on his mailbox on its Default Permission, it might generate several false positives alerts based on accesses, due to Microsoft activity on the resource. 
 
These are not real accesses, as it’s not possible to access the mailbox only by activating the “Folder Visible” option without assigning a higher permission (author, owner, reader, …); that’s why now IDECSI mask these accesses and will not generate the delegate on the MyProfile page of the user.

When a user opens an alert from its SMS/Email link, and this one have been previously closed, it will display with a new green header informing the user that no action is required.

Since IDECSI can now collect more configuration objects from different types of resources (Mailbox, OneDrive, Teams, Sharepoint, …) we created a search bar in the Expert Platform for the names of the configuration objects so customers can easily find a specific one without having to filter on the type/name of the resource.

In the past, the IDECSI platform used to create Permissions for delegates accessing the protected resources by analyzing the accesses in the last three weeks. So if a legitimate delegate didn’t access during this period, no Permission would have been created. 
 
The system has evolved and now their Permissions are created based on the accesses AND the configuration objects, specifically all the delegates found in the “Mailbox Folder Permission”. 
This will avoid false positives based on the fact that if a legitimate delegate access a protected resource AFTER the creation of the Permissions, this will trigger an alert.

It’s now possible to set up a notification rule pour end-users, allowing them to receive a notification when a new comment on their alert is made, or when an alert has been closed by someone else. (Security Team, assistant, …)
 
Deploying this allows you to create a direct link between end-users and security teams, as they can both receive notification when a new comment is made on an alert.

Please note that this is an optional feature and it won’t be activated by default.

You can now customize the headers of all our products (MyProfile, Alert Answer, Expert platform, OnePage Report) with a logo and a name:

The header can be also customized on all the emails sent by IDECSI.

To deploy these customizations thank you to contact your Client Success Manager.

Idecsi has deployed the automatic import of delegates (users which do not benefit from continuous protection such as personal assistants and service accounts) in order to strenghten the protection around the protected users by preventing accesses made by compromised delegates accounts.

Now you can set up rules in order to be alerted in the event of a delegate’s connection to a protected resource from unusual countries or unusual protocol. (IMAP/POP/…)

At the end of the learning phase, all the delegates which had accessed to a protected resource during the learning phase will be automatically imported by IDECSI and a profile created for each.

All the delegates will be imported by default in the company OU (root).
In case you prefer that your delegates are imported into a different OU,  you can ask your Client Succes Manager to change it.

IDECSI is now able to detect when a login to Office 365 fails. If it occurs from an unusual country, it will appear on  MyProfile for the I2A administrators.

However, this information will not appear for the End-Users consulting their MyProfile.

Please note that a country from which we detected a failed login will never be registered as “Usual Country” on the IDECSI platform.

For Office 365 environments, a new alert rule has been deployed on the Global resources which monitor the brute force attacks.

If someone fails accessing its Office 365 account more than one time in a determined period (6 hours by default), IDECSI will alert you instantly.

At the end of the learning phase, the end-user will receive the link to the MyProfile page.

Once he has confirmed that all the information are correct, the IDECSI platform will automatically update the profile based on all information validated by the user. In case of an anomaly reported by the user, no update will be made for the related information.

The system will automatically create permissions for legitimate delegates, it will register legitimate mobile devices and usual countries.

When a Mailbox Folder Permission right which have been previously assigned is downgraded, IDECSI do no longer send an alert for this type of configuration change.

Ex. VIP 1 previously assigned Owner rights on his calendar for Delegate 1. VIP 1 decides to switch the right level from Owner to Author.

This would usually trigger an alert because of the configuration change, but as the Author right is inferior to the Owner right, it won’t happen.

In terms of security, downgrading a right is rarely dangerous for a protected user.

To prevent end-users to receive alerts which are non-relevant and for which it would be impossible for them to answer, some of the logs collected by IDECSI are now flagged as “technical“.  (Ex. access made by local admin accounts or by Microsoft service accounts)

In the “Usual Countries” menu, you have now the possibility to select all the countries and easily remove all of them:

It’s now possible to select a group of countries per continent:

A button now allows you to reset the filters on the screen of the collected data.
A new filter has been added allowing to filter logs from a specific country. The drop-down list appears by clicking “Open Advanced Search”.

When a resource is displayed, it is now specified the instance of the latter, allowing them to be distinguished. Icons have been added to provide one-click access to the collected data and administration objects of the displayed resource.

It is now possible to add a custom logo to OnePage reports.

In order to do this, please provide a logo in png 300px * 100px format to your Idecsi contact.

Until now, when a new sharing was done on a resource (One Drive, SharePoint, Teams, etc…) or a new delegation configured on an email, the I2A platform issued two separate alerts:  

• An alert for a change of rights or new sharing 
• An access alert, the first time the beneficiary of the sharing or delegation accessed the resource. 

I2A is now able to merge the two operations in order to avoid issuing the access alert.

The security team can now configure the creation of an alert as soon as a new application accesses a protected resource (for example LinkedIn that accesses your contacts)

Among the choices of the “Connected user” predicate present, the “an application” option is added. If this option is configured, an alert will be generated in case of access by any third party application to the resources.

If a mailbox is disabled in Exchange, protection within I2A for the same resource will be disabled automatically, so it’s no longer necessary to wait for the information and manually disable the protection in I2A.

In email notifications for an “Unusual Access” alert you will now find the country predicate among the available information, allowing you to have an additional element regarding the context of the event that generated the alert.

Improved automatic telephone number retrieval in I2A.

Fixed bug concerning the “Role groups” field when exporting to the “Users” section of I2A.

In Azure AD, alerts following the addition of applications or the addition of permissions for applications

For Azure AD groups, alerts in the event of addition or modification of permissions for a linked protected resource (eg. adding an owner in Teams)

Alerts following changes in SharePoint and OneDrive sharing policies (eg. allowing anonymous sharing on the tenant)

Alerts following E-Discovery actions via Content-Search

Separation of SharePoint / OneDrive sharing alerts into internal / external subtypes

Taking into account the expiration date of anonymous sharing in SharePoint / OneDrive (if the user closes an alert regards time-limited anonymous sharing, new anonymous sharing after the time limit will be alerted)

Updated text in alerts for protected users

Richer modification and stopping options for learning, protection, Permanent Audit or Audit.

Addition of Azure AD groups and their members to OnePage and Excel audit reports for SharePoint

For SharePoint lists associated with an Azure AD group (via Teams), we will attempt to link the resource to one of the owners of the group

Improvement of the “repeated actions” predicate (eg LoginFailed on Azure AD resource)

Added expiration date for usual countries (as an option).

• A color: green, orange, red
• An icon from the list of icons available in MyDataSecurity
• A title and a message (in markdown: with formatting, adding link and image possible)

Note 1:  banner mechanism will also be used in the future to display personalized messages for users (either manually by the administrators or automatically).

Note 2: As for other customizations, the banner can be scoped on Users, Instances, or Organization Units.

• Labels considered as “sensitive” will always be displayed in red
• Other labels will be displayed in grey

• (coming soon) Owner of the shared or private channel if applicable
• Microsoft 365 Group Owner if applicable
• SharePoint site owner
• Member of a group with Full Control rights on the SharePoint site
• User with Full Control rights on the SharePoint site
• Site Collection Administrator

• Users belonging to an automatic operation policy with a high priority level will be evaluated first
• Among these users, potential Business Owners will be prioritized according to their rights level:
  • (coming soon) Owner of the shared or private channel if applicable
  • Microsoft 365 Group Owner if applicable
  • SharePoint site owner
  • Member of a group with Full Control rights on the SharePoint site
  • User with Full Control rights on the SharePoint site
  • Site Collection Administrator
• Among these users, the first user given by the protected collaboration platform will be selected to be Business Owner

• Display of a red dot at the level of the files concerned by a point of attention

• When a user reports an access made from a new country, the country is hidden and the Operation done label no longer appears. The country report is still present in the Operations History.
• Add the date of last access for a country
• The “Operation done” labels no longer appear for countries reported to the security teams

• Merge of the View and Remove tabs in the different modal windows
• Modal windows are now centered at the page level
• When a security group is not yet collected, we precise it instead of writing that it is empty.

• Image or color for the background
• Between 1 or 5 links
• Each link must meet the different criteria: title with less than 50 characters, url
• An icon can be set for each link among a predefined list. It is possible to add new icon from the Fontawesome base, but not a customized image. Note that the supported version of Fontawesome is the v5.

• Title: Hide my points of attention
• Configuration modal: You are about to hide your points of attention. This means that all of the risky items listed below are legitimate (including permissions on your mailbox, sharing links, sharing of sensitive data, and different countries of connection).
• Confirmation button: Confirm
• Confirmation modal: All the points of attention are considered legitimate

• Avoid the multiplication of OUs with a very fine mesh to meet the needs of administration, customization of uses, and security policies.
• Grouping of people independently of their belonging to an entity or an IT local (e.g.: France country, all members of the Finance departments).

• Actual Organization Unit Id
• Actual Organization Unit Full Name
• Expected Organization Unit Id
• Expected Organization Unit Full name
• User I2A Id
• User I2A Full name
• UPN
• Display Name
• Provider Instance Id
• Provider Instance Name
• Provider Type
• Resource Name
• Result
• Current Status
• Expected Status

• The number of attention points displayed for each resource is hidden, in preference to a red dot positioned on the resource icon
• The translations have been improved
• The button “Browse all” on the home page was removed, and the browsing per category was improved.

• The operations history was improved.
• A global operations history is now available on the home page.

• The label “Operation done” is progressively removed for the users for which a permission was removed on a specific document
• All resources are now collapsed by default (except if there is only one resource)

• Expert
• MyDataSecurity
• Permission Explorer

• Environment: Provider Instance (ex: Office 365 – Intranet, Office 365 – Mailbox)
• Operation type: Automatic or Manual
• Identity: Identity used in the operation (ex: user principal name for automatic operations)
• Creation date min
• Creation date max
• Status: Pending, In progress, Partial, Complete, Cancelled, Failed

It is now possible to collect Directory Attributes, in addition to Extension attributes (1-15) from Azure AD for each user (except Open Extension, Schema Extension, Custom Security Attributes).

Please note: Custom attributes are configurable via a support request only today. Evolution will be planned during the first half of 2023 to propose an interface to define the custom attributes to collect.

For example, the Manager id is now collected from Azure AD users. Also, the “EmployeeType” and “OfficeLocation” fields are collected for all Azure AD tenants and will now be displayed in Permission Explorer.

Protection and Audit jobs ran from the “Operations” menu are now automatically retried 3 times every 20 minutes to workaround Microsoft API behavior in case of failure and before giving the “failed” status available to I2A Administrators.

Any risky configurations or overexposed data are now highlighted within a new section “Warnings” at the beginning of My Profile and in the menu with badges.

Expanding the Warnings section will show related details

This feature is configurable so please contact your Client Success Manager if you wan’t to add it.

We added a new button into the MyProfile page. It can be used to provide a link to your knowledge base, online help or user guide.

It allows customisation of
– its icon
– its URL target

Please feel free to contact your Client Success team in order to customise this change.

IDECSI’s platform now collects metadata from Microsoft Information Protection in order to display sensitivity “labels” per file. It offers several use cases :

• Sensitivity information is given to the end user in the context of its usage, which helps to pinpoint faster potentially sensitive and overexposed data.

• Identify shared sensitive files and their permissions across the whole monitored environment

• Alert on actions involving sensitive data (new share, new permission, new access, …)
• Audit and alert on any change made by an admin regarding sensitivity labels thru Microsoft Office 365 Compliance dashboard

Technical view of the configuration object storing labels configuration. The object is permanently audited, any change or tentative of compromise could rise an alert.

• Audit any user labelling activities onto files

Please feel free to contact your Client Success Team or your Sales Engineer.

We are now able to block an Azure Active Directory user account as incident response to an alert (i.e : impossible travel, simultaneous access).

SharePoint sites displayed to MyProfile users now integrate “Lists” as part of the SharePoint site hierarchy.

Company, Anonymous, Guest links created with OneDrive, Teams or SharePoint as well Exchange’s default permission object, are now highlighted in red.

This feature is customisable to your internal policy (for instance if you consider such case is part of your organisation’s best practices).

Below is a sample of OneDrive and Mailbox view :

Please feel free to reach your Client Success team.

In order to provide security teams additional visibility on the protected resources and their activity, we developed a new section on the Expert platform on which you can monitor the dates of the last activities on the resources.

This feature is particularly interesting if you want to know if there are unused resources among those which are collected by IDECSI.

In order to access the new section, click on the “Monitoring” link on the left as showed in the image; then apply the filters for a more precise research.

Once the research is done, you can also export it to .csv format by clicking on the export button.

There are several scenarios for which O365 administrators have to interact with user’s resources, and for security teams it’s sometimes difficult to obtain information about admin’s actions when needed;  so we have improved our capability to detect O365 Administrators operations in order to help you.

You can now decide to be alerted, or flag as safe, some operations made by admins, thanks to a new option added on the “Username” condition when create a policy.

Please feel free to reach out your Client Success Manager if you need help to deploy rules or to update the existing ones.

All the IDECSI products are finally available in german.

By changing the communication language in german, all the IDECSI products (Expert Platform, MyProfile, Alert Answer, …) will be translated, and all the communication support as well.

We improved our protection system allowing IDECSI administrators to start the protection of the main resources of the Office365 suite.

If you want to start protecting a user’s mailbox, you can select two additional options allowing you to add the OneDrive and AzureAD resources as well.

Thanks to valuable feedback from our customers, a few bugs have been fixed and some visual or performance improvements have been made.

If you want to make suggestions about our product, you can use our Fetaure Requests page here: https://extranet.idecsi.com/feature-requests/

In order to improve our customer experience for end users deployments, we now provide to our customers the possibility to close opened alerts after a certain time automatically. So the user is no longer required to answer systematically, as the alerts with no answer will be automatically closed, and users can focus on alerts which require their attention.

This feature is fully configurable, you can either decide to close an alert after one or more reminders are sent for the same alert, or after a defined time-frame.

This option is available on users access and users configuration alerts, not on global configuration alerts and alerts raised from user’s feedback (Invalid state report).

The alerts automatically closed will be considered as valid on the IDECSI platform and the event which have triggered the alert as legitimate.

As the feature is inactive by default, we invite you to contact your Client Success Manager for implementation.

Learning phase is one of the key features of the IDECSI platform, as it provides a unique profile for each protected user, based on its accesses and configuration.

So we decided to make this procedure more flexible, allowing you to restart a learning phase for users in an easier and configurable way.

On the user’s Summary page, simply click on the icon as in the image below:

Then select the start date and for how many days you want the data to be considered for the profile creation.

Our engine will analyze the datasets provided for the time-frame, and create the profile accordingly, removing all the obsolete rules, devices and permission for the user, and creating new ones.

If a notification rule has been set up for users to receive a MyProfile email at the end of the learning phase, a notification will be sent at the end of each learning phase. Please contact your Customer Success Manager if you need assistance.

We really believe that the Data Collected page provides real value to our customers in terms of visibility and forensics on the O365 events, so we are improving this module to make your life as simple as possible.

Two additional filters have been added, allowing you to filter Collected Data by IP address or IP Origin.

This new feature provide an interface where customers can manage their MyProfile campaigns and set up several parameters for automatic send of MyProfile emails. You can access this from the “Operation” section in your Expert platform.

We invite you to contact your Client Success Manager for the implementation of your first campaign.

In order to provide to our customers visibility on alert’s activity on IDECSI, we now provide a data flow, which can be consulted on PowerBI.

For now, we are able to provide information on Users, Alerts and Applications.

For more information, please contact a member of the Client Success team.

In a context where SharePoint libraries are automatically protected by IDECSI, you can now define a user by default to which these libraries will be attached to.

The SharePoint libraries can be consulted on the user’s Summary page and MyProfile.

Once attached to the user’s profile, it will be possible to reassign those libraries to other users directly from the Expert platform or MyProfile.

End users can now update their general information (email, phone number, timezone, …) directly from their MyProfile.

In I2A some types of alerts are related to Configuration Objects. (Inbox Rules, Applications Permissions, Sharing Set, …)

When you close an alert related to one of these objects, they will be automatically collected and updated, providing you the latest version of it instantly, instead of waiting the scheduled daily collection.

Since end-users can access their data through MyProfile, and report an anomaly such as an old delegation, it’s important that their profile is constantly updated, especially if the change is originated by their feedback.

Due to the fact that mobile devices are nomads by design and can switch network and localization very quickly and unpredictably, we decided to exclude the logs related to these from the calculations for the Geo-localization.

By doing this, we improved our Geo-localization by focusing on reliable sources of information, increasing the precision of all the rules related to this such as the “Move too Fast” and “Simultaneous“.

This update provides general graphic and wording improvements and more details about the protected resources such as the Owners list of a SharePoint library or more details on each Exchange permission.

Customers can now customize colors of MyProfile web page. Check this with your Client Success Manager for more information.

If you have suggestions and ideas about MyProfile and IDECSI in general, please submit it to our “Feature Request” page: https://extranet.idecsi.com/feature-requests/

It’s very important to have visibility on SharePoint libraries, but it’s very hard to track all the membership and ownership for each library.

End-users can now inform the team in charge to whom belongs the SharePoint Library for which they’ve been assigned as owners, simply by clicking the button “not belong to me” and selecting another person from the list.

If the owner of the SharePoint Library do not appear in the list, they can still search it in the “Search for another user” section and it will be reported to the people involved.

In case the SharePoint Library is not used anymore, they can report it by clicking the “Delete” button. (It won’t delete the SharePoint Library of course, but just inform the people in charge)

When a user accidentally activates the “Folder Visible” option on his mailbox on its Default Permission, it might generate several false positives alerts based on accesses, due to Microsoft activity on the resource. 
 
These are not real accesses, as it’s not possible to access the mailbox only by activating the “Folder Visible” option without assigning a higher permission (author, owner, reader, …); that’s why now IDECSI mask these accesses and will not generate the delegate on the MyProfile page of the user.

When a user opens an alert from its SMS/Email link, and this one have been previously closed, it will display with a new green header informing the user that no action is required.

Since IDECSI can now collect more configuration objects from different types of resources (Mailbox, OneDrive, Teams, Sharepoint, …) we created a search bar in the Expert Platform for the names of the configuration objects so customers can easily find a specific one without having to filter on the type/name of the resource.

In the past, the IDECSI platform used to create Permissions for delegates accessing the protected resources by analyzing the accesses in the last three weeks. So if a legitimate delegate didn’t access during this period, no Permission would have been created. 
 
The system has evolved and now their Permissions are created based on the accesses AND the configuration objects, specifically all the delegates found in the “Mailbox Folder Permission”. 
This will avoid false positives based on the fact that if a legitimate delegate access a protected resource AFTER the creation of the Permissions, this will trigger an alert.

It’s now possible to set up a notification rule pour end-users, allowing them to receive a notification when a new comment on their alert is made, or when an alert has been closed by someone else. (Security Team, assistant, …)
 
Deploying this allows you to create a direct link between end-users and security teams, as they can both receive notification when a new comment is made on an alert.

Please note that this is an optional feature and it won’t be activated by default.

You can now customize the headers of all our products (MyProfile, Alert Answer, Expert platform, OnePage Report) with a logo and a name:

The header can be also customized on all the emails sent by IDECSI.

To deploy these customizations thank you to contact your Client Success Manager.

Idecsi has deployed the automatic import of delegates (users which do not benefit from continuous protection such as personal assistants and service accounts) in order to strenghten the protection around the protected users by preventing accesses made by compromised delegates accounts.

Now you can set up rules in order to be alerted in the event of a delegate’s connection to a protected resource from unusual countries or unusual protocol. (IMAP/POP/…)

At the end of the learning phase, all the delegates which had accessed to a protected resource during the learning phase will be automatically imported by IDECSI and a profile created for each.

All the delegates will be imported by default in the company OU (root).
In case you prefer that your delegates are imported into a different OU,  you can ask your Client Succes Manager to change it.

IDECSI is now able to detect when a login to Office 365 fails. If it occurs from an unusual country, it will appear on  MyProfile for the I2A administrators.

However, this information will not appear for the End-Users consulting their MyProfile.

Please note that a country from which we detected a failed login will never be registered as “Usual Country” on the IDECSI platform.

For Office 365 environments, a new alert rule has been deployed on the Global resources which monitor the brute force attacks.

If someone fails accessing its Office 365 account more than one time in a determined period (6 hours by default), IDECSI will alert you instantly.

At the end of the learning phase, the end-user will receive the link to the MyProfile page.

Once he has confirmed that all the information are correct, the IDECSI platform will automatically update the profile based on all information validated by the user. In case of an anomaly reported by the user, no update will be made for the related information.

The system will automatically create permissions for legitimate delegates, it will register legitimate mobile devices and usual countries.

When a Mailbox Folder Permission right which have been previously assigned is downgraded, IDECSI do no longer send an alert for this type of configuration change.

Ex. VIP 1 previously assigned Owner rights on his calendar for Delegate 1. VIP 1 decides to switch the right level from Owner to Author.

This would usually trigger an alert because of the configuration change, but as the Author right is inferior to the Owner right, it won’t happen.

In terms of security, downgrading a right is rarely dangerous for a protected user.

To prevent end-users to receive alerts which are non-relevant and for which it would be impossible for them to answer, some of the logs collected by IDECSI are now flagged as “technical“.  (Ex. access made by local admin accounts or by Microsoft service accounts)

In the “Usual Countries” menu, you have now the possibility to select all the countries and easily remove all of them:

It’s now possible to select a group of countries per continent:

A button now allows you to reset the filters on the screen of the collected data.
A new filter has been added allowing to filter logs from a specific country. The drop-down list appears by clicking “Open Advanced Search”.

When a resource is displayed, it is now specified the instance of the latter, allowing them to be distinguished. Icons have been added to provide one-click access to the collected data and administration objects of the displayed resource.

It is now possible to add a custom logo to OnePage reports.

In order to do this, please provide a logo in png 300px * 100px format to your Idecsi contact.

Until now, when a new sharing was done on a resource (One Drive, SharePoint, Teams, etc…) or a new delegation configured on an email, the I2A platform issued two separate alerts:  

• An alert for a change of rights or new sharing 
• An access alert, the first time the beneficiary of the sharing or delegation accessed the resource. 

I2A is now able to merge the two operations in order to avoid issuing the access alert.

The security team can now configure the creation of an alert as soon as a new application accesses a protected resource (for example LinkedIn that accesses your contacts)

Among the choices of the “Connected user” predicate present, the “an application” option is added. If this option is configured, an alert will be generated in case of access by any third party application to the resources.

If a mailbox is disabled in Exchange, protection within I2A for the same resource will be disabled automatically, so it’s no longer necessary to wait for the information and manually disable the protection in I2A.

In email notifications for an “Unusual Access” alert you will now find the country predicate among the available information, allowing you to have an additional element regarding the context of the event that generated the alert.

Improved automatic telephone number retrieval in I2A.

Fixed bug concerning the “Role groups” field when exporting to the “Users” section of I2A.

In Azure AD, alerts following the addition of applications or the addition of permissions for applications

For Azure AD groups, alerts in the event of addition or modification of permissions for a linked protected resource (eg. adding an owner in Teams)

Alerts following changes in SharePoint and OneDrive sharing policies (eg. allowing anonymous sharing on the tenant)

Alerts following E-Discovery actions via Content-Search

Separation of SharePoint / OneDrive sharing alerts into internal / external subtypes

Taking into account the expiration date of anonymous sharing in SharePoint / OneDrive (if the user closes an alert regards time-limited anonymous sharing, new anonymous sharing after the time limit will be alerted)

Updated text in alerts for protected users

Richer modification and stopping options for learning, protection, Permanent Audit or Audit.

Addition of Azure AD groups and their members to OnePage and Excel audit reports for SharePoint

For SharePoint lists associated with an Azure AD group (via Teams), we will attempt to link the resource to one of the owners of the group

Improvement of the “repeated actions” predicate (eg LoginFailed on Azure AD resource)

Added expiration date for usual countries (as an option).

• A color: green, orange, red
• An icon from the list of icons available in MyDataSecurity
• A title and a message (in markdown: with formatting, adding link and image possible)

Note 1:  banner mechanism will also be used in the future to display personalized messages for users (either manually by the administrators or automatically).

Note 2: As for other customizations, the banner can be scoped on Users, Instances, or Organization Units.

• Labels considered as “sensitive” will always be displayed in red
• Other labels will be displayed in grey

• (coming soon) Owner of the shared or private channel if applicable
• Microsoft 365 Group Owner if applicable
• SharePoint site owner
• Member of a group with Full Control rights on the SharePoint site
• User with Full Control rights on the SharePoint site
• Site Collection Administrator

• Users belonging to an automatic operation policy with a high priority level will be evaluated first
• Among these users, potential Business Owners will be prioritized according to their rights level:
  • (coming soon) Owner of the shared or private channel if applicable
  • Microsoft 365 Group Owner if applicable
  • SharePoint site owner
  • Member of a group with Full Control rights on the SharePoint site
  • User with Full Control rights on the SharePoint site
  • Site Collection Administrator
• Among these users, the first user given by the protected collaboration platform will be selected to be Business Owner

• Display of a red dot at the level of the files concerned by a point of attention

• When a user reports an access made from a new country, the country is hidden and the Operation done label no longer appears. The country report is still present in the Operations History.
• Add the date of last access for a country
• The “Operation done” labels no longer appear for countries reported to the security teams

• Merge of the View and Remove tabs in the different modal windows
• Modal windows are now centered at the page level
• When a security group is not yet collected, we precise it instead of writing that it is empty.

• Image or color for the background
• Between 1 or 5 links
• Each link must meet the different criteria: title with less than 50 characters, url
• An icon can be set for each link among a predefined list. It is possible to add new icon from the Fontawesome base, but not a customized image. Note that the supported version of Fontawesome is the v5.

• Title: Hide my points of attention
• Configuration modal: You are about to hide your points of attention. This means that all of the risky items listed below are legitimate (including permissions on your mailbox, sharing links, sharing of sensitive data, and different countries of connection).
• Confirmation button: Confirm
• Confirmation modal: All the points of attention are considered legitimate

• Avoid the multiplication of OUs with a very fine mesh to meet the needs of administration, customization of uses, and security policies.
• Grouping of people independently of their belonging to an entity or an IT local (e.g.: France country, all members of the Finance departments).

• Actual Organization Unit Id
• Actual Organization Unit Full Name
• Expected Organization Unit Id
• Expected Organization Unit Full name
• User I2A Id
• User I2A Full name
• UPN
• Display Name
• Provider Instance Id
• Provider Instance Name
• Provider Type
• Resource Name
• Result
• Current Status
• Expected Status

• The number of attention points displayed for each resource is hidden, in preference to a red dot positioned on the resource icon
• The translations have been improved
• The button “Browse all” on the home page was removed, and the browsing per category was improved.

• The operations history was improved.
• A global operations history is now available on the home page.

• The label “Operation done” is progressively removed for the users for which a permission was removed on a specific document
• All resources are now collapsed by default (except if there is only one resource)

• Expert
• MyDataSecurity
• Permission Explorer

• Environment: Provider Instance (ex: Office 365 – Intranet, Office 365 – Mailbox)
• Operation type: Automatic or Manual
• Identity: Identity used in the operation (ex: user principal name for automatic operations)
• Creation date min
• Creation date max
• Status: Pending, In progress, Partial, Complete, Cancelled, Failed

It is now possible to collect Directory Attributes, in addition to Extension attributes (1-15) from Azure AD for each user (except Open Extension, Schema Extension, Custom Security Attributes).

Please note: Custom attributes are configurable via a support request only today. Evolution will be planned during the first half of 2023 to propose an interface to define the custom attributes to collect.

For example, the Manager id is now collected from Azure AD users. Also, the “EmployeeType” and “OfficeLocation” fields are collected for all Azure AD tenants and will now be displayed in Permission Explorer.

Protection and Audit jobs ran from the “Operations” menu are now automatically retried 3 times every 20 minutes to workaround Microsoft API behavior in case of failure and before giving the “failed” status available to I2A Administrators.

Any risky configurations or overexposed data are now highlighted within a new section “Warnings” at the beginning of My Profile and in the menu with badges.

Expanding the Warnings section will show related details

This feature is configurable so please contact your Client Success Manager if you wan’t to add it.

We added a new button into the MyProfile page. It can be used to provide a link to your knowledge base, online help or user guide.

It allows customisation of
– its icon
– its URL target

Please feel free to contact your Client Success team in order to customise this change.

IDECSI’s platform now collects metadata from Microsoft Information Protection in order to display sensitivity “labels” per file. It offers several use cases :

• Sensitivity information is given to the end user in the context of its usage, which helps to pinpoint faster potentially sensitive and overexposed data.

• Identify shared sensitive files and their permissions across the whole monitored environment

• Alert on actions involving sensitive data (new share, new permission, new access, …)
• Audit and alert on any change made by an admin regarding sensitivity labels thru Microsoft Office 365 Compliance dashboard

Technical view of the configuration object storing labels configuration. The object is permanently audited, any change or tentative of compromise could rise an alert.

• Audit any user labelling activities onto files

Please feel free to contact your Client Success Team or your Sales Engineer.

We are now able to block an Azure Active Directory user account as incident response to an alert (i.e : impossible travel, simultaneous access).

SharePoint sites displayed to MyProfile users now integrate “Lists” as part of the SharePoint site hierarchy.

Company, Anonymous, Guest links created with OneDrive, Teams or SharePoint as well Exchange’s default permission object, are now highlighted in red.

This feature is customisable to your internal policy (for instance if you consider such case is part of your organisation’s best practices).

Below is a sample of OneDrive and Mailbox view :

Please feel free to reach your Client Success team.

In order to provide security teams additional visibility on the protected resources and their activity, we developed a new section on the Expert platform on which you can monitor the dates of the last activities on the resources.

This feature is particularly interesting if you want to know if there are unused resources among those which are collected by IDECSI.

In order to access the new section, click on the “Monitoring” link on the left as showed in the image; then apply the filters for a more precise research.

Once the research is done, you can also export it to .csv format by clicking on the export button.

There are several scenarios for which O365 administrators have to interact with user’s resources, and for security teams it’s sometimes difficult to obtain information about admin’s actions when needed;  so we have improved our capability to detect O365 Administrators operations in order to help you.

You can now decide to be alerted, or flag as safe, some operations made by admins, thanks to a new option added on the “Username” condition when create a policy.

Please feel free to reach out your Client Success Manager if you need help to deploy rules or to update the existing ones.

All the IDECSI products are finally available in german.

By changing the communication language in german, all the IDECSI products (Expert Platform, MyProfile, Alert Answer, …) will be translated, and all the communication support as well.

We improved our protection system allowing IDECSI administrators to start the protection of the main resources of the Office365 suite.

If you want to start protecting a user’s mailbox, you can select two additional options allowing you to add the OneDrive and AzureAD resources as well.

Thanks to valuable feedback from our customers, a few bugs have been fixed and some visual or performance improvements have been made.

If you want to make suggestions about our product, you can use our Fetaure Requests page here: https://extranet.idecsi.com/feature-requests/

In order to improve our customer experience for end users deployments, we now provide to our customers the possibility to close opened alerts after a certain time automatically. So the user is no longer required to answer systematically, as the alerts with no answer will be automatically closed, and users can focus on alerts which require their attention.

This feature is fully configurable, you can either decide to close an alert after one or more reminders are sent for the same alert, or after a defined time-frame.

This option is available on users access and users configuration alerts, not on global configuration alerts and alerts raised from user’s feedback (Invalid state report).

The alerts automatically closed will be considered as valid on the IDECSI platform and the event which have triggered the alert as legitimate.

As the feature is inactive by default, we invite you to contact your Client Success Manager for implementation.

Learning phase is one of the key features of the IDECSI platform, as it provides a unique profile for each protected user, based on its accesses and configuration.

So we decided to make this procedure more flexible, allowing you to restart a learning phase for users in an easier and configurable way.

On the user’s Summary page, simply click on the icon as in the image below:

Then select the start date and for how many days you want the data to be considered for the profile creation.

Our engine will analyze the datasets provided for the time-frame, and create the profile accordingly, removing all the obsolete rules, devices and permission for the user, and creating new ones.

If a notification rule has been set up for users to receive a MyProfile email at the end of the learning phase, a notification will be sent at the end of each learning phase. Please contact your Customer Success Manager if you need assistance.

We really believe that the Data Collected page provides real value to our customers in terms of visibility and forensics on the O365 events, so we are improving this module to make your life as simple as possible.

Two additional filters have been added, allowing you to filter Collected Data by IP address or IP Origin.

This new feature provide an interface where customers can manage their MyProfile campaigns and set up several parameters for automatic send of MyProfile emails. You can access this from the “Operation” section in your Expert platform.

We invite you to contact your Client Success Manager for the implementation of your first campaign.

In order to provide to our customers visibility on alert’s activity on IDECSI, we now provide a data flow, which can be consulted on PowerBI.

For now, we are able to provide information on Users, Alerts and Applications.

For more information, please contact a member of the Client Success team.

In a context where SharePoint libraries are automatically protected by IDECSI, you can now define a user by default to which these libraries will be attached to.

The SharePoint libraries can be consulted on the user’s Summary page and MyProfile.

Once attached to the user’s profile, it will be possible to reassign those libraries to other users directly from the Expert platform or MyProfile.

End users can now update their general information (email, phone number, timezone, …) directly from their MyProfile.

In I2A some types of alerts are related to Configuration Objects. (Inbox Rules, Applications Permissions, Sharing Set, …)

When you close an alert related to one of these objects, they will be automatically collected and updated, providing you the latest version of it instantly, instead of waiting the scheduled daily collection.

Since end-users can access their data through MyProfile, and report an anomaly such as an old delegation, it’s important that their profile is constantly updated, especially if the change is originated by their feedback.

Due to the fact that mobile devices are nomads by design and can switch network and localization very quickly and unpredictably, we decided to exclude the logs related to these from the calculations for the Geo-localization.

By doing this, we improved our Geo-localization by focusing on reliable sources of information, increasing the precision of all the rules related to this such as the “Move too Fast” and “Simultaneous“.

This update provides general graphic and wording improvements and more details about the protected resources such as the Owners list of a SharePoint library or more details on each Exchange permission.

Customers can now customize colors of MyProfile web page. Check this with your Client Success Manager for more information.

If you have suggestions and ideas about MyProfile and IDECSI in general, please submit it to our “Feature Request” page: https://extranet.idecsi.com/feature-requests/

It’s very important to have visibility on SharePoint libraries, but it’s very hard to track all the membership and ownership for each library.

End-users can now inform the team in charge to whom belongs the SharePoint Library for which they’ve been assigned as owners, simply by clicking the button “not belong to me” and selecting another person from the list.

If the owner of the SharePoint Library do not appear in the list, they can still search it in the “Search for another user” section and it will be reported to the people involved.

In case the SharePoint Library is not used anymore, they can report it by clicking the “Delete” button. (It won’t delete the SharePoint Library of course, but just inform the people in charge)

When a user accidentally activates the “Folder Visible” option on his mailbox on its Default Permission, it might generate several false positives alerts based on accesses, due to Microsoft activity on the resource. 
 
These are not real accesses, as it’s not possible to access the mailbox only by activating the “Folder Visible” option without assigning a higher permission (author, owner, reader, …); that’s why now IDECSI mask these accesses and will not generate the delegate on the MyProfile page of the user.

When a user opens an alert from its SMS/Email link, and this one have been previously closed, it will display with a new green header informing the user that no action is required.

Since IDECSI can now collect more configuration objects from different types of resources (Mailbox, OneDrive, Teams, Sharepoint, …) we created a search bar in the Expert Platform for the names of the configuration objects so customers can easily find a specific one without having to filter on the type/name of the resource.

In the past, the IDECSI platform used to create Permissions for delegates accessing the protected resources by analyzing the accesses in the last three weeks. So if a legitimate delegate didn’t access during this period, no Permission would have been created. 
 
The system has evolved and now their Permissions are created based on the accesses AND the configuration objects, specifically all the delegates found in the “Mailbox Folder Permission”. 
This will avoid false positives based on the fact that if a legitimate delegate access a protected resource AFTER the creation of the Permissions, this will trigger an alert.

It’s now possible to set up a notification rule pour end-users, allowing them to receive a notification when a new comment on their alert is made, or when an alert has been closed by someone else. (Security Team, assistant, …)
 
Deploying this allows you to create a direct link between end-users and security teams, as they can both receive notification when a new comment is made on an alert.

Please note that this is an optional feature and it won’t be activated by default.

You can now customize the headers of all our products (MyProfile, Alert Answer, Expert platform, OnePage Report) with a logo and a name:

The header can be also customized on all the emails sent by IDECSI.

To deploy these customizations thank you to contact your Client Success Manager.

Idecsi has deployed the automatic import of delegates (users which do not benefit from continuous protection such as personal assistants and service accounts) in order to strenghten the protection around the protected users by preventing accesses made by compromised delegates accounts.

Now you can set up rules in order to be alerted in the event of a delegate’s connection to a protected resource from unusual countries or unusual protocol. (IMAP/POP/…)

At the end of the learning phase, all the delegates which had accessed to a protected resource during the learning phase will be automatically imported by IDECSI and a profile created for each.

All the delegates will be imported by default in the company OU (root).
In case you prefer that your delegates are imported into a different OU,  you can ask your Client Succes Manager to change it.

IDECSI is now able to detect when a login to Office 365 fails. If it occurs from an unusual country, it will appear on  MyProfile for the I2A administrators.

However, this information will not appear for the End-Users consulting their MyProfile.

Please note that a country from which we detected a failed login will never be registered as “Usual Country” on the IDECSI platform.

For Office 365 environments, a new alert rule has been deployed on the Global resources which monitor the brute force attacks.

If someone fails accessing its Office 365 account more than one time in a determined period (6 hours by default), IDECSI will alert you instantly.

At the end of the learning phase, the end-user will receive the link to the MyProfile page.

Once he has confirmed that all the information are correct, the IDECSI platform will automatically update the profile based on all information validated by the user. In case of an anomaly reported by the user, no update will be made for the related information.

The system will automatically create permissions for legitimate delegates, it will register legitimate mobile devices and usual countries.

When a Mailbox Folder Permission right which have been previously assigned is downgraded, IDECSI do no longer send an alert for this type of configuration change.

Ex. VIP 1 previously assigned Owner rights on his calendar for Delegate 1. VIP 1 decides to switch the right level from Owner to Author.

This would usually trigger an alert because of the configuration change, but as the Author right is inferior to the Owner right, it won’t happen.

In terms of security, downgrading a right is rarely dangerous for a protected user.

To prevent end-users to receive alerts which are non-relevant and for which it would be impossible for them to answer, some of the logs collected by IDECSI are now flagged as “technical“.  (Ex. access made by local admin accounts or by Microsoft service accounts)

In the “Usual Countries” menu, you have now the possibility to select all the countries and easily remove all of them:

It’s now possible to select a group of countries per continent:

A button now allows you to reset the filters on the screen of the collected data.
A new filter has been added allowing to filter logs from a specific country. The drop-down list appears by clicking “Open Advanced Search”.

When a resource is displayed, it is now specified the instance of the latter, allowing them to be distinguished. Icons have been added to provide one-click access to the collected data and administration objects of the displayed resource.

It is now possible to add a custom logo to OnePage reports.

In order to do this, please provide a logo in png 300px * 100px format to your Idecsi contact.

Until now, when a new sharing was done on a resource (One Drive, SharePoint, Teams, etc…) or a new delegation configured on an email, the I2A platform issued two separate alerts:  

• An alert for a change of rights or new sharing 
• An access alert, the first time the beneficiary of the sharing or delegation accessed the resource. 

I2A is now able to merge the two operations in order to avoid issuing the access alert.

The security team can now configure the creation of an alert as soon as a new application accesses a protected resource (for example LinkedIn that accesses your contacts)

Among the choices of the “Connected user” predicate present, the “an application” option is added. If this option is configured, an alert will be generated in case of access by any third party application to the resources.

If a mailbox is disabled in Exchange, protection within I2A for the same resource will be disabled automatically, so it’s no longer necessary to wait for the information and manually disable the protection in I2A.

In email notifications for an “Unusual Access” alert you will now find the country predicate among the available information, allowing you to have an additional element regarding the context of the event that generated the alert.

Improved automatic telephone number retrieval in I2A.

Fixed bug concerning the “Role groups” field when exporting to the “Users” section of I2A.

In Azure AD, alerts following the addition of applications or the addition of permissions for applications

For Azure AD groups, alerts in the event of addition or modification of permissions for a linked protected resource (eg. adding an owner in Teams)

Alerts following changes in SharePoint and OneDrive sharing policies (eg. allowing anonymous sharing on the tenant)

Alerts following E-Discovery actions via Content-Search

Separation of SharePoint / OneDrive sharing alerts into internal / external subtypes

Taking into account the expiration date of anonymous sharing in SharePoint / OneDrive (if the user closes an alert regards time-limited anonymous sharing, new anonymous sharing after the time limit will be alerted)

Updated text in alerts for protected users

Richer modification and stopping options for learning, protection, Permanent Audit or Audit.

Addition of Azure AD groups and their members to OnePage and Excel audit reports for SharePoint

For SharePoint lists associated with an Azure AD group (via Teams), we will attempt to link the resource to one of the owners of the group

Improvement of the “repeated actions” predicate (eg LoginFailed on Azure AD resource)

Added expiration date for usual countries (as an option).