Wednesday, March 14, 2018

Create Office 365 Alerts

Another option that all Office 365 plans support is the ability to create your own custom alerts. Before you do this though, you’ll need to ensure that you have enabled the activity auditing in Office 365. Here’s an article I wrote that shows you how to do this:

http://blog.ciaops.com/2018/02/enable-activity-auditing-in-office-365.html

image

It will take 24 hours or so for the activity logging to be fully enabled but you can still go in and create alerts. You’ll need to navigate to the Security and Compliance center. From the menu on the left expand the Alerts option and then select Manage alerts.

You will probably see that there are currently no alerts configured as shown above. To configure an alert simply select the New alert policy button at the top of the page.

image

This will open the options window shown above. Give the alert a name and a description.

image

All Office 365 plans will have the choice to make the alert to be Custom or Elevation of privilege as shown above. Other plans may have additional options, but you should select the Elevation of privilege and configure that as your first alert.

image

If you repeat the alert creation process but this time select to create a Custom alert you can then choose from a wide variety of activities to trigger the alert as shown above.

image

You can filter the list to the choices you wish using the search field at the top. Here I am filtering for any password activities.

image

I simply select the activities I want included in the alert as shown above. When I select an option, a check appears to the right of the item.

image

You then optionally set the users you wish to monitor for this activity (leaving the field blank applies it to all users) and finally whom you send any alerts to in your tenant (typically an administrator).

image

You then save the new alert and you should now see it in the Manage Alerts area as shown above.

image

Now when an alert triggers you get an email alert as shown telling you about the activity.

image

The alert email has lots of links that allow you to go and view the details in various places, typically in the audit log, which is why you need to turn that ability on first.

image

When we look in the audit log we see the activity and can investigate further.

image

As I said, all the Office 365 plans allow you to do the basic alerting as I have shown, however with the Enterprise plans you get a whole range of additional abilities and alerts as shown above.

image

You also get additional categories as you see above. If you are serious about the security of your Office 365 tenant then I would highly recommend you consider Enterprise rather than business plans.

In summary, every Office 365 plan includes the ability to configure custom activity alerts which is something you should do. There are lots of activities you can alert on so be judicious on what you activities you alert on, as it is very easy to get overwhelmed by spurious alerts.

image

My general recommendation would be to set up the above list of alerts as a minimum but suggest you start with a handful and increase and refine overtime.

As I said, I would also recommend looking at Enterprise plans to provide additional alerting abilities and functionality, however no matter which plan you have, go in and add some for of alerting that makes sense for your tenant as there is typically nothing there by default.