Have you enabled Advanced Security Management for Office 365 and you're ready to get started? Great! Here are some tips and other information to help you begin.
How Advanced Security Management helps you manage cloud activity more securely
You get started with Advanced Security Management by signing in to Office 365 as a Global Administrator or Security Administrator for Advanced Security Management, and turning on the feature by completing a few steps, shown in enable Advanced Security Management.
After you enable the feature, there are three ways in which you can use the service to help keep your organization safe: alerts that are triggered by anomalies or specific activities, app discovery, which provides information to help you understand and manage cloud app usage in your organization and App permissions, which give you control over third-party apps that connect to Office 365.
For the alerts, you can be notified whenever there's an activity in your tenant that's outside the ordinary for your organization. How does Office 365 know what is "outside the ordinary" for you? You define one or more policies that include different criteria that "trigger" the alert to tell you there's something up that you should check out.
It might end up being an activity that's perfectly fine (in which case, you might want to modify your policy criteria a bit). Or it might be something that you didn't expect that needs investigating—perhaps someone trying to download a large amount of data in a short period of time.
For app discovery, you'll first import information by uploading log files from your organization's firewalls and proxies. Then you can review and analyze the information pulled in from the log files by viewing it in the Discovery dashboard, categorized in a variety of ways. Learn more about app discovery by seeing the information on importing log files and reviewing app discovery findings.
App permissions give you control over third-party apps that your users might connect to. See Manage app permissions in the Security & Compliance Center to learn how to use the app permissions page, how to ban an app, or how to mark an app as approved.
Not sure what alerts are? The rest of this article explains how they work.
What exactly is an alert?
An alert is a notification based on a set of criteria that appears in a view or is sent to you. There are two types of alerts in Advanced Security Management: anomaly detection alerts, which are based on automatic algorithms that detect suspicious activity, and activity alerts, which you create for different activities you know might be atypical for your organization. For example, you might want the system to alert you when a user takes an administrative action, like creating a new user from a non-admin location.
Alerts make you aware when something outside what is typical for your organization happens so you can take action on it, if needed.
You get to decide what is tracked and what might be suspicious. An activity that might be expected for your organization, like signing in from a specific country, could be out of the ordinary and potentially worrisome for another organization.
Important: Be aware that, after you enable Advanced Security Management, it will be seven days before you'll start receiving any anomaly detection alerts. This allows time for the algorithm that determines the baseline anomaly to stabilize.
How do you define the criteria for an activity alert? By filling out a form, called a policy, in Advanced Security Management, that Office 365 uses to decide whether and when to send you an alert notification.
Create and modify policies to trigger alerts
The steps to create or modify a policy are similar for both types of alerts. But the degree to which you control the policy is different. Anomaly policies will alert you based on a set of built-in risk factors, which you can modify if you want to tune the automatic detections. Activity alerts, in contrast, are completely customizable and you can target them to alert you based on a number of parameters. For example, you can set the activity type (like logon activity) and how often the activity is repeated in a specific timeframe. These two types of alerts work together to help keep you aware of potential issues.
Based on the different options you choose for the policy, you're telling Office 365 how to determine that something suspicious might be happening in your organization, and to let you know. You can also create an activity policy by basing it on search criteria in the Activity log.
To create activity policies that will trigger just the alerts that you'll find useful when managing your organization's use of Office 365, you can start with one of the templates that is provided or start from scratch to create a policy. We provided guidance that steps you through creating activity alerts and modifying anomaly detection alerts to help you get set up.
Default activity policy templates that are included
Advanced Security Management includes several policy templates for alerts, to get you started. Take a look at the default policies, and then decide whether to create alerts by modifying one of these example policies to adjust them for your org, or create new alerts that suit your organization's needs.
The policy templates that are included are the following:
Administrative activity from a non-administrative IP address Alert when an admin user performs an administrative activity from an IP address that is not included in a specific IP range category. You can set IP addresses which are not included in the administrative category by going to the Settings page, and selecting IP address ranges.
User logon from a non-categorized IP address Alert when a user logs on from an IP address that is not included in a specific IP range category. You can categorize IP addresses by going to the Settings page, and selecting IP address ranges.
Mass download by a single user Alert when a single user performs more than 30 downloads within 5 minutes.
Multiple failed user log on attempts to an app Alert when a single user attempts to log on to a single app, and fails more than 10 times within 5 minutes.
Logon from a risky IP address Alert when a user logs on from a risky IP address to your sanctioned services. The Risky IP category contains, by default, anonymous proxies and TOR exits point. You can add IP addresses to this category adding them on the IP addresses range settings page.
Receive emails or text messages for alert notifications
By default, Advanced Security Management displays in the portal the alerts that are triggered by policies you've set up. On that page in Advanced Security Management, you can view the alerts, filter them, and take action. For example, you can suspend a user or modify a policy that is triggering too many unhelpful alerts.
But if you want to be notified proactively when an alert is triggered, by email or by text, you can choose those options when you create or edit a policy. As you follow the steps to create a policy to trigger an activity alert or modify an anomaly detection alert, in the Alerts section, choose the check box for Email alert or Send alert as text message or both.
You can save the email addresses and phone numbers that you usually set to be alerted by select Save alert setting to default. Then, when you're creating or modifying another policy, choose Use organization defaults to automatically fill in the email addresses and phone numbers for the alert.