For anyone familiar with the Office 365 Security & Compliance center will know, the amount and level of detailed information and options available here is astonishing.
You can search the auditlog, create a policy to prevent data loss and control access from mobile devices. To name but a view. Many of these options also provide some form of dashboards to access the most recent information. But this will require you to go to the security and compliance center itself.
There are alternatives for this. And one of these is using the Alerts function. This function also comes with a dashboard 🙂 but does allow you to receive notifications when needed.
Before we begin, some basics.
- You will need the Organization Configuration role within the security & compliance center in order to set-up alerts;
- Audit logging must be enabled within the tenant;
- Activity by external users will not be audited, so you cannot create alerts for these;
- Advanced alerts require an E5 Office 365 licence. In this blog, I won’t be covering that area;
- Alert policies are currently only available within the E5 Office 365 license.
Let’s start with the dashboard. This dashboard gives you an overview of all recent alerts but also allows you to add new alert policies. More on that later. This dashboard should be the starting point of any compliance or security officer within the organization. I haven’t found any information on the amount of alerts which can or are displayed in the dashboard though.
Alerts in detail
If you want a closer look at the alerts which have been created, you select the option View alerts. This overview shows you the alerts, including details like severity and category. If needed, you can even filter these alerts.
When opening this alert you will see the details (doh….). But based on these details, you can decide to “Resolve” the alert by selecting the corresponding status. For example: an alert may be under investigation to be resolved later.
You can also Suppress an alert for a specific amount of time (1, 7, 30, 365 days), which will suppress any notifications being send. This might be handy when you are investigating an alert.
You can also Notify the users involved. In which case a default email message is created. This message can be modified and send.
Your account was recently involved in triggering an Office 365 security and compliance alert: Severity: High Time: Aug 15, 2017 7:46:42 AM Activity: DLP policy match Please reply if you do not recognize these activities.
But not all of these alerts create themselves. So let’s take a look at alert policies. An alert policy is created to notify people of an anomaly within Office 365. This might be (for example) triggered by a Data Loss Prevention policy or detected malware.
The Alerts section has two types of alert policies. The build-in (system) and custom type. The build-in policies can only be modified to a specific extent. For example, you can edit the recipients of the notifications. But the conditions cannot be modified.
But you can add your own policies, which gives you a lot of possibilities.
Creating an alert policy
The creation of an alert policy is straightforward enough. You give the policy a name and select the severity. Next is the category. Don’t be fooled by this. This category is only used to categorize the alert policies in the overview and does not filter the conditions. I’ve selected the “Data loss prevention”, figuring the conditions would only display the relevent ones. But alas….
But these conditions do make it more interesting. A lot of build-in conditions are available and these come in several types:
- Common user activities
- File and folder activities
- File sharing activities
- synchronisation events
- Site administration activities
These can be very detailed. For example: want an alert when a file is deleted using a specific IP-adress? No problem. Want to know if a specific user is moving files? Ditto…
Just remember: all information which is stored in the audit log can be used as basis for an alert.
The alert is not only triggered by an event. You can also select when is triggered. I.e. how many times does the event have to take place, before an alert is sounded? You can select you own interval (for example, when more than three events occur) or you can let Office 365 machine intelligence figure it out. In the latter case, it might take up to one week for the system to establish a reliable baseline.
When you’ve added the conditions and the triggers, it’s time to select a recipient of the notifications. These people will receive an email notifying them of the alert. Luckily you can also configure a daily limit for this. Although when you’re working with high severity alerts you probably want the responsible people to be spammed until these are resolved 🙂
You can now save the alert and choose to turn it on immediately. Here’s a small bug I found in this. When I chose to “Turn it on later” I got a little error message. Not sure what it meant…..
But anyway. These alerts, the dashboard and policies are great for administrators, security- and compliance officers. If you haven’t seen them, now you have 🙂 But take a look at them in your tenant as-well!
I have created a policy for testing purpose.
The policy will send email to myself when an alert
Later I have deleted the policy but it still triggers alert.
Can anyone please help me in this situation
You might have to wait for some time. If needed, you can use PowerShell to check the status of your alerts (https://docs.microsoft.com/en-us/powershell/module/exchange/get-protectionalert?view=exchange-ps).