Create anomaly detection policies in Advanced Security Management

Anomaly detection policies in Advanced Security Management in Office 365 use built-in algorithms to help uncover potential problems. You should have at least one anomaly detection policy, which you can customize, when you create it, by using various filters.

The built-in algorithms will do most of the work to detect anomalies automatically for you, by scanning user activity and evaluating whether it's risky. By having an anomaly detection policy in place to trigger alerts, you'll be notified when this risky behavior occurs.

Create a new anomaly policy

  1. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.

  2. From the Control menu, select Policies.

    Anomoly policy menu

  3. Click Create policy, and then select Anomaly detection policy. (The very first time you create or edit a policy, you'll see Create policy in the center of the page, as well as in the usual place, to the right.)

    Anomoly detection policy
  4. On the Create anomoly detection policy page, type the Policy name and Description. You can base a new policy on one of the default templates, if you like, by choosing one in the Policy template drop-down menu.

    Anomoly detection policy settings
  5. Choose a Policy name so you can review or edit the policy later. Adding a Description as well can help you or another admin understand the purpose of the policy.

  6. Choose a Category for this policy. This is another way to help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.

  7. Choose Activity filters to set up other actions or metrics that will trigger an alert based on this policy.

    Anomoly detection policy settings
  8. Under Risk factors, you can decide whether different risk factors are applied to all activity in your Office 365 tenant, or only for selected activities, which you can choose.

  9. You can change your Alerts settings by unchecking the Alerting threshold (not recommended). You can also set up additional notifications for alerts from this policy (email or text message).

    Tip: When you set up an email notification, alerts are sent from the following email address: Be sure that your email provider doesn't block emails sent from this address.

    Anomoly detection policy settings

Why create anomaly policies to trigger alerts

For most people, receiving alerts from the default anomaly policy works well. All monitored activity is considered when the algorithms determine if there is anomalous behavior to alert you about, so you'll be notified if anything seems suspicious that turns up in any of those risk areas.

However, if you want to fine tune how anomaly alerts work for your organization, modifying the default anomaly policy or creating your own anomaly policy is an option.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!