Activity policies and alerts in Office 365 Cloud App Security

Office 365 Advanced Security Management is now Office 365 Cloud App Security.

Evaluation    >

Planning    >

Deployment    >

Utilization   

Start evaluating

Start planning

You are here!

Next step

Start utilizing

With Office 365 Cloud App Security, advanced cloud management policies trigger alerts for specific activities that happen or happen too frequently. For example, suppose a user tries to sign in to Office 365 and fails 70 times in one minute. Suppose that another user downloads 7,000 files, or appears to be signed in from Canada, when that user is supposed to be in another location. Or worse, suppose that someone's account has been compromised, and an attacker is using that account to access your organization's cloud apps and sensitive data.

If you are a global administrator or security administrator, activity alerts notify you when events like these occur. You can then take specific actions, such as suspending a user account until you can investigate what happened.

Note: Office 365 Cloud App Security policies are different from alert policies in the Office 365 Security & Compliance Center. The activity policies described in this article are defined in the Office 365 Cloud App Security portal, and can help you better manage your organization's cloud environment.

Before you begin

Make sure that:

Create a new activity policy

  1. As a global administrator or security administrator, go to https://protection.office.com and sign in using your work or school account.

  2. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.

  3. Choose Go to Office 365 Cloud App Security.

    This takes you to the Office 365 Cloud App Security Policies page.

    When you go to the Office 365 Cloud App Security portal, you start with the Policies page

  4. Click Create policy, and then select Activity policy.

    When you create a policy in O365 CAS, you can choose between Activity policies and Anomaly Detection policies.

  5. On the Create activity policy page, specify the Policy name and Description. To base your policy on a default template, choose one in the Policy template list, or create your own policy without using a template.

    You can create activity policies with Office 365 Cloud App Security.

  6. Choose a Policy severity (Low, Medium, or High) that measures how serious it is to you if this policy triggers an alert. This will help you filter alerts when you're reviewing them later.

  7. Choose a Category for this policy. This will help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.

  8. Choose Activity filters to set up other actions or metrics that will trigger an alert based on this policy.

  9. Under Activity match parameters, specify whether a policy violation will be triggered when a single activity matches the filters, or if a specified number of repeated activities is required before the alert triggers.

    If you select Repeated activity, specify the number of activities, the time frame, and whether a violation will count for a user within a specific app or for the same user with any app.

  10. Optionally, you can select Create alert to create additional alerts to receive notifications from this policy (via email, text message, or both).

    Important: Make sure that your email provider doesn't block emails sent from no-reply@cloudappsecurity.com.

  11. Choose the Actions that should be taken when an alert is triggered to suspend the user or require the user to sign in again to Office 365 apps.

  12. Choose Create to finish creating your policy.

Next steps

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×