Activity policies in Office 365 Advanced Security Management allow you to set up alerts to trigger when specific activities happen or happen too frequently. By setting up policies to trigger alerts, you can be notified about and monitor specific activities. For example, when there are unexpectedly high rates of a particular type of activity—like large numbers of file downloads.
Create a new activity policy
In the Security & Compliance Center, choose Alerts, then Manage advanced alerts.
From the Control menu, select Policies.
Click Create policy, and then select Activity policy. (The very first time you create or edit a policy, you'll see Create policy in the center of the page, as well as in the usual place, to the right.)
On the Create activity policy page, type the Policy name and Description. You can base a new policy on one of the default templates, if you like, by choosing one in the Policy template drop-down menu.
Choose a Policy severity (Low, Medium, or High) that measures how serious it is to you if this policy triggers an alert. You can use this value to filter alerts when you're reviewing them.
Choose a Category for this policy. This is another way to help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.
Choose Activity filters to set up other actions or metrics that will trigger an alert based on this policy.
Under Activity match parameters, select whether a policy violation will be triggered when a single activity matches the filters, or if a specified number of repeated activities is required before the alert triggers. If you select Repeated activity, set the following for the alert: The number of activities, the time frame, and whether a violation will count for a user within a specific app or for the same user with any app.
Optionally, you can check Create alert to create additional Alerts to receive notifications from this policy (email or text message).
Tip: When you set up an email notification, alerts are sent from email@example.com. Make sure that your email provider doesn't block emails sent from this address.
Choose the Actions that should be taken when an alert is triggered to suspend the user or require the user to sign in again to Office 365 apps.
Why create activity policies to trigger alerts
You can set up activity policies to set custom alerts to be sent or actions to be taken when specific user activity is detected. This helps you manage your cloud environment more securely, by letting you know when certain potentially suspicious activities have happened.
For example, if you want to know every time a user tries to log on and fails 70 times in one minute, or if a user downloads 7,000 files, or is logged in from Canada, you can set activity alerts to be shown in Office 365, or sent to you, when these events occur. You can even suspend a user until you have time to investigate what happened that triggered the alert.
Examples of activity policies
Multiple failed logins
You can set a policy so that you receive an alert when there have been a large number of failed login attempts within a certain relatively short time period.
On the Create activity policy page, in the Activity filters section, select Activity type equals Log on. Then set the values you'd like in the Activity match parameters and Actions sections.
High download rate
Another policy you can set up is to get an alert when there has been an unexpected or atypical level of downloading activity.
On the Create activity policy page, in the Activity filters section, select Activity type equals Download file or folder. Then set the values you'd like in the Activity match parameters and Actions sections.