Create activity policies and alerts in Office 365 Cloud App Security

Office 365 Advanced Security Management is now Office 365 Cloud App Security.

With Office 365 Cloud App Security, you can set up advanced cloud management policies that trigger alerts for specific activities that happen or happen too frequently. For example, suppose a user tries to sign in to Office 365 and fails 70 times in one minute. Suppose that another user downloads 7,000 files, or appears to be signed in from Canada, when that user is supposed to be in another location. Or worse, suppose that someone's account has been compromised, and an attacker is using that account to access your organization's cloud apps and sensitive data.

As a global or security administrator, you can configure activity alerts to notify you when events like these occur, and then take specific actions, such as suspending a user account until you can investigate what happened.

Note: Office 365 Cloud App Security policies are different from alert policies in the Office 365 Security & Compliance Center. The activity policies described in this article are defined in the Office 365 Cloud App Security portal, and can help you better manage your organization's cloud environment.

Before you begin

Make sure that:

  • Your organization has Office 365 Cloud App Security, which is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Office 365 Cloud App Security can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

  • You are a global administrator or security administrator for Office 365.

Create a new activity policy

  1. As a global administrator or security administrator, go to https://protection.office.com and sign in using your work or school account.

  2. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.

  3. Choose Go to Office 365 Cloud App Security.

    This takes you to the Office 365 Cloud App Security Policies page.

    When you go to the Office 365 Cloud App Security portal, you start with the Policies page

  4. Click Create policy, and then select Activity policy.

    When you create a policy in O365 CAS, you can choose between Activity policies and Anomaly Detection policies.

  5. On the Create activity policy page, specify the Policy name and Description. To base your policy on a default template, choose one in the Policy template list, or create your own policy without using a template.

    You can create activity policies with Office 365 Cloud App Security.

  6. Choose a Policy severity (Low, Medium, or High) that measures how serious it is to you if this policy triggers an alert. This will help you filter alerts when you're reviewing them later.

  7. Choose a Category for this policy. This will help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.

  8. Choose Activity filters to set up other actions or metrics that will trigger an alert based on this policy.

  9. Under Activity match parameters, specify whether a policy violation will be triggered when a single activity matches the filters, or if a specified number of repeated activities is required before the alert triggers.

    If you select Repeated activity, specify the number of activities, the time frame, and whether a violation will count for a user within a specific app or for the same user with any app.

  10. Optionally, you can select Create alert to create additional alerts to receive notifications from this policy (via email, text message, or both).

    Important: Make sure that your email provider doesn't block emails sent from no-reply@cloudappsecurity.com.

  11. Choose the Actions that should be taken when an alert is triggered to suspend the user or require the user to sign in again to Office 365 apps.

  12. Choose Create to finish creating your policy.

Related topics

Office 365 Cloud App Security (help and how-to)
What is Cloud App Security?

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×