Advanced Security Management in Office 365 gives you insights into suspicious activity in Office 365 so you can investigate situations that are potentially problematic and, if needed, take action to address security issues.
After you've enabled Advanced Security Management, check out the steps to take to get started with the feature. With Advanced Security Management, you get alerts that you can set up by using policies to notify you about anomalous and suspicious activity. And you can also get Productivity app discovery, which lets you use the information from your organization's log files to understand and act on your users' app usage in Office 365 and other cloud apps.
Advanced Security Management is available in Office 365 Enterprise E5 or as an add-on subscription to Office 365. To begin using Advanced Security Management in Office 365, sign in to your Office 365 account and choose to turn on Advanced Security Management.
Set up alerts
To set up alerts in Advanced Security Management, there are two types of policies you can create: Anomaly detection policies, which are based on automatic algorithms that detect suspicious activity, and activity policies, which you create for different activities you know might be atypical for your organization. For example, you could create a policy so the system alerts you when a user takes an administrative action, like creating a new user, from a non-administrative location.
Anomaly alerts are based on a set of built-in risk factors, which you can modify if you need to tune the automatic detections. Activity alerts, in contrast, are completely customizable and you can target them to trigger based on a number of parameters. For example, you can set the activity type (like logon activity) and how often the activity is repeated in a specific time frame. These two types of alerts policies can be used together help keep you aware of potential issues.
When you review alerts that have been triggered, you can investigate to learn more details about what was going on. Then, if the activity is still suspicious, you can take action. For example, you can notify a user about an issue or suspend a user from signing in to Office 365.
Upload log files for app discovery
In addition to alerts, Advanced Security Management includes productivity app discovery to let you view and analyze information about Office 365 and other cloud apps that are being used in your organization.
After you upload log files from your firewalls and proxies, app discovery analyzes the information and presents it in the Office 365 Discovery dashboard. You can look at how apps are being used in different categories, such as collaboration apps or cloud storage apps. And you can see other details, like which apps have the most traffic, or how many apps have headquarters in different parts of the world.