Thursday, March 15, 2018

Advanced Office 365 Alerts

A while ago I wrote an article about the standard alerts in Office 365 that are common across all plans. You can read that article here:

Create Office 365 Alerts

I also eluded to the fact that with the Enterprise Plans in Office 365 you get additional features and options. Here’s an example of one such alert that I have in place to warn me about potentially suspicious activity in my Enterprise E5 tenant.

SNAGHTML7347f58

A very common activity that should be investigated is a mass download of files from the tenant. This is also heightened when that activity comes from an external source as you can see in the email alert I received above.

Now, it’s time to investigate.

image

If I now go to the Office 365 Security and Compliance center and select Alerts from the menu on the left and then View Alerts from the options that appear I see a list of recent alerts on the right as shown above.

To view the alert to examine it in more detail, I simply select it from the list. In this case I will select the first one.

image

Information about the alert now appears in the right. You will see that there is also a hyper link, View activity list to given you even more detail.

image

You see that selecting this option gives me the low level audit logs of the events that triggered this alarm. In this case I know that the external user is actually a member of my CIAOPS Patron community who is re-syncing the OneNote Codex that is part of their entitlements. So, I can now confirm that this was a know situation and I don’t need to investigate further.

image

I can however select any, or all, of the alerts and then select to Notify users using the button in the top left.

image

This will create an email like that shown above that you can send to the users in question.

When I’m finished looking at the alert activity I simply close that dialog.

image

I can now mark this alert as resolved using the button in the top right.

image

I do have a number of other options available to me when I mark this alert as shown above. However, in this case I’ll mark it as Resolved and Save it.

image

If I now re-examine an alert that has been resolved I’ll see the banner indicating that across the top of the page as shown.

You should also note that the activity items are not retained forever. It is bit hard to read but the item highlighted on the right says “The activities for this alert have expired”.

Enterprise Office 365 plans have some much more security and compliance options available to you hopefully as you can see from the above. If you are serious about IT security, then I’d be encouraging you to look at what the Enterprise Office 365 plans offer.