After you get Office 365 Advanced Security Management set up, including enabling the feature in Office 365 and setting up policies to help you monitor activities in your Office 365 environment, you can use the management features to see potential issues and, if needed, take action.
Check for alerts activity
When you open the Advanced Security Management portal, you'll see an overview of open alerts and activity violations.
It's a good idea to check daily to see new alerts that were triggered, and decide how to handle them.
In the Security and Compliance Center, choose Alerts, then Manage advanced alerts.
On the menu bar, choose Alerts.
Alerts are the entry point to understanding activities in your Office 365 cloud environment that you may want to investigate further. You may also decide to create new policies based on the alerts you see. For example, if you see an administrator logging on from Greenland, you may decide that in the future, you'd like to have a policy that automatically suspends an admin account when it is used to log on from Greenland.
Reviewing all of your alerts regularly is useful to help you make decisions about changing policies. For example, if harmless events are appearing as violations to policies you've put in place, you might want to update the policies so that fewer unnecessary alerts pop up.
Tip: You can filter the alerts by Category or by Severity so you can manage the most important ones first.
For each alert, look into what caused it so you can decide what action to take. To see more details about an alert and to take action, such as resolving the alert or suspending a user, choose the alert to open a details page.
On the details page, you can review the activity log, accounts, and users that are related to the alert, and take actions such as the following:
Dismiss If the alert was a false positive, you can simply dismiss it. You're given the chance to add a comment to provide another explanation for dismissing or explain why it was a false positive, if you like.
Resolve alert If the alert was triggered by an activity that you know isn't a threat, you can choose Resolve to mark it as resolved. When you resolve an alert, you're given the chance to add a comment to explain the situation, if you like.
Suspend If you suspect that someone who isn't authorized is signing in on an account, for example, someone signing in from another country when you know that person is physically at a local office, you might want to suspend the account while you investigate what's going on.