With Office 365 Advanced Security Management, global or security administrators can manage your organization's cloud activity more securely. After Advanced Security Management is turned on, the next steps are to:
You can also use your SIEM server with Advanced Security Management.
You must be a global administrator or security administrator to perform the procedures in this article.
Tip: Advanced Security Management is available in Office 365 Enterprise E5 or as an add-on for another Office 365 Enterprise subscription. To view or add to your subscription, as a global admin, sign in to Office 365, and then choose Admin > Billing. For more information about plan options, see Compare All Office 365 for Business Plans.
The Advanced Security Management portal resembles the following image:
Go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)
Go to Alerts > Manage advanced alerts.
Choose Go to Advanced Security Management to go to the Advanced Security Management portal.
In the Advanced Security Management portal, you can:
Define policies and set up alerts & actions
Learn about cloud usage across your organization through reports and a dashboard
Manage third-party apps that people in your organization are using with Office 365
An alert is a notification based on a set of criteria that appears in a view or is sent to you. There are two types of alerts in Advanced Security Management: anomaly detection alerts, which are based on automatic algorithms that detect suspicious activity, and activity alerts, which you create for different activities you know might be atypical for your organization. For example, you might want the system to alert you when a user takes an administrative action, like creating a new user from a non-admin location.
With alerts, you can be notified whenever there's an activity in your tenant that's outside the ordinary for your organization. How does Office 365 know what is "outside the ordinary" for you? You define one or more policies that include different criteria that "trigger" the alert to tell you there's something up that you should check out.
See the following resources to set up your policies and alerts, and take action:
You can learn about your organization's cloud usage through reports and a Cloud Discovery dashboard (also called Productivity App Discovery). This dashboard shows information about users, apps, web traffic, and risk levels.
To go to the dashboard, in the Advanced Security Management portal, choose Discover > Cloud Discovery dashboard.
To populate reports with the information you need, you'll upload log files from your organization's firewalls and proxies. Then, you can view data in the dashboard and reports, and even create your own custom reports. To learn more, see the following resources:
As a global or security administrator, you can manage apps, such as custom apps or third-party apps, that people in your organization are using with Office 365. For example, suppose that someone has downloaded a custom app they want to use with Office 365. You can ban untrusted apps, or mark apps as approved for tracking purposes. To learn more, see Manage app permissions using Advanced Security Management.
Is your organization using a SIEM server? Advanced Security Management can now integrate with your SIEM server to enable centralized monitoring of alerts. Integrating with a SIEM service allows you to better protect your cloud applications while maintaining your usual security workflow, automating security procedures and correlating between cloud-based and on-premises events. The SIEM agent runs on your server and pulls alerts from Advanced Security Management and streams them into the SIEM server. For more information, see SIEM integration with Office 365 Advanced Security Management.