Alert policies in the Office 365 Security & Compliance Center

You can use the new alert policy and alert dashboard tools in the Office 365 Security & Compliance Center to create alert policies and then view the alerts that are generated when users perform activities that match the conditions of an alert policy. Alert policies build on and expand the functionality of activity alerts by letting you categorize the alert policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether or not to receive email notifications. There's also a View alerts page in the Security & Compliance Center where you can view and filter alerts, set an alert status to help you manage alerts, and then dismiss alerts after you've addressed or resolved the underlying incident. We've also expanded the type of events that you can create alerts for. For example, you can create alert policies to track malware activity and data loss incidents. Finally, we've also included a number of default alert policies that help you monitor assigning admin privileges in Exchange Online, malware attacks, and unusual levels of file deletions and external sharing.

Note: Alert policies require an Office 365 E5 subscription for your organization. Alternatively, you would need an Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 Advanced Compliance add-on subscription to use alert policies. Note that an Advanced Compliance subscription doesn't support alert policies related to malware attacks and phishing messages.

Contents

How alert policies work

Alert policy settings

Default alert policies

Viewing alerts

Managing alerts

How alert policies work

Here's a quick overview of how alert policies work and the alerts that are triggers when user or admin activity match the conditions of an alert policy.

Overview of how alert policies work
  1. An admin in your organization creates, configures, and turns on an alert policy by using the Alert policies page in the Security & Compliance Center. You can also create alert policies by using the New-ProtectionAlert cmdlet in PowerShell.

  2. A user performs an activity that matches the conditions of an alert policy. In the case of malware attacks, infected email messages sent to users in your organization will trigger an alert.

  3. Office 365 generates an alert that's displayed on the View alerts page in the Security & Compliance Center. Also, if email notifications are enabled for the alert policy, Office 365 sends an notification to a list recipients.

  4. An admin manages alerts in the Security & Compliance Center. Managing alerts consists of assigning an alert status to help track and manage any investigation.

Return to top

Alert policy settings

An alert policy consists of a set of rules and conditions that define the user or admin activity that will generate an alert, a list of users who will trigger the alert if they perform the activity, and threshold that defines how many times the activity has to occur before an alert is triggered. You also categorize the policy and assign it a severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the Security & Compliance Center. For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level.

To view and create alert policies, go to Alerts > Alert policies in the Security & Compliance Center.

In the Security & Complinace Center, click Alerts, then click Alert policies to view and create alert policies

An alert policy consists of the following settings and conditions.

  • Activity the alert is tracking   You create a policy to track an activity or in some case a few related activities, such a sharing a file with an external user by sharing it, assigning access permissions, or creating an anonymous link. When a user performs the activity defined by the policy, an alert is triggered based on the alert threshold settings.

  • Activity conditions   For most activities, you can define additional conditions that must be met for an alert to be triggered. Common conditions include IP addresses (so that an alert is triggered when the user performs the activity on a computer with a specific IP address or within an IP address range), whether an alert is triggered if a specific user or users perform that activity, and whether the activity is performed on a specific file name or URL. You can also configure a condition that triggers an alert when the activity is performed by any user in your organization. Note that the available conditions are dependent on the selected activity.

  • Alert threshold   You can configure a threshold setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions or only when a certain threshold is exceeded. The threshold defines how many times an activity can occur within a time range before an alert is generated.

    You can also assign an alert threshold based on unusual activity. If you select this type of threshold setting, Office 365 establishes a baseline value that defines the normal frequency for the selected activity; it takes up to 7 days to establish this baseline, during which alerts won't be generated. After the baseline is established, an alert will be triggered when the frequency of the activity tracked by the alert policy greatly exceeds the baseline value. For auditing-related activities (such as file and folder activities), you can establish a baseline based on a single user or based on all users in your organization; for malware-related activities, you can establish a baseline based on a single malware family, a single recipient, or all messages in your organization.

  • Alert category   To help with tracking and managing the alerts generated by a policy, you can assign one of the following categories to a policy.

    • Data governance

    • Data loss protection

    • Permissions

    • Threat management

    • Others

    When an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the category defined in this setting. This allows you to track and manage alerts that have the same category setting on the View alerts page in the Security & Compliance Center because you can sort and filter alerts based on category.

  • Alert severity   Similar to the alert category, you assign a severity attribute (Low, Medium, or High) to alert policies. Like the alert category, when an activity occurs that matches the conditions of the alert policy, the alert that's generated is tagged with the same severity level that's set for the alert policy. Again, this allows you to track and manage alerts that have the same severity setting on the View alerts page. For example, you can filter the list of alerts so that only alerts with a High severity are displayed.

    Tip: When setting up an alert policy, consider assigning a higher severity to activities that can result in severely negative consequences, such as detection of malware after delivery to users, viewing of sensitive or classified data, sharing data with external users, or other activities that can result in data loss or security threats. This can help you prioritize alerts and the actions you take to investigate and resolve the underlying causes.

  • Email notifications     You can set up the policy so that email notifications are sent (or not sent) to a list of users when an alert is triggered. You can also set a daily notification limit so that once the maximum number of notifications has been reached, no more notifications are sent for the alert during that day. In additional to email notifications, you or other administrators can view the alerts that are triggered by a policy on the View alerts page. Consider enabling email notifications for alert policies of a specific category or that have a higher severity setting.

Return to top

Default alert policies

Office 365 provides the following built-in alert policies that help identify Exchange admin permissions abuse, malware activity, and data governance risks. These policies are turned on by default. You can turn these policies off (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited.

On the Alert policies page, the name of these built-in policies are in bold and the policy type is defined as System.

  • Creation of forwarding/redirect rule   Generates an alert when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook Web App or Exchange Online PowerShell. This policy has a Low severity setting. For more information using inbox rules to forward and redirect email in Outlook Web App, see Use rules in Outlook Web App to automatically forward messages to another account.

  • Elevation of Exchange admin privilege   Generates an alert when someone is assigned administrative permissions in your Exchange Online organization; for example, if a user is added to the Organization Management role group in Exchange Online. This policy has a Low severity setting.

  • Malware campaign detected after delivery   Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Office 365 removes the infected messages from Exchange Online mailboxes. This policy has a High severity setting.

  • Malware campaign detected and blocked   Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Office 365 and not delivered to mailboxes. This policy has a Low severity setting.

  • Malware campaign detected in SharePoint and OneDrive   Generates an alert when an unusually high volume of malware or viruses are detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a High severity setting.

  • Unusual external user file activity   Generates an alert when an usually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting.

  • Unusual volume of external file sharing   Generates an alert when an usually large number of files in SharePoint or OneDrive are shared with users outside of your organization. This policy has a Medium severity setting.

  • Unusual volume of file deletion   Generates an alert when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame. This policy has a Medium severity setting.

  • Unusual increase in email reported as phish   Generates an alert when there is a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a High severity setting. For more information about this add-in, see Use the Report Message add-in.

Note that the unusual activity monitored by some of the built-in policies is based on the same process as the alert threshold setting that was previously described. Office 365 establishes a baseline value that defines the normal frequency for "usual" activity. Alerts are then triggered when the frequency of activities tracked by the built-in alert policy greatly exceeds the baseline value.

Return to top

Viewing alerts

When an activity performed by users in your organization match the settings of an alert policy, an alert is generated and displayed on the View alerts page in the Security & Compliance Center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the View alerts page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy) and the number of times an activity has occurred that resulted in the alert being generated; this value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. See the Managing alerts section for more information about using the status property to manage alerts.

To view alerts, go to Alerts > View alerts in the Security & Compliance Center.

In the Security & Complinace Center, click Alerts, then click View alerts to view alerts

You can use the following filters to view a subset of all the alerts on the View alerts page.

  • Status   Use this filter to show alerts that are assigned a particular status; the default status is Active. You or other administrators can change the status value.

  • Policies   Use this filter to show alerts that match the setting of one or more alert policies. Or, you can just display all alerts for all alert policies.

  • Time range   Use this filter to show alerts that were generated within a specific date and time range.

  • Severity   Use this filter to show alerts that are assigned a specific severity.

  • Category   Use this filter to show alerts from one or more alert categories.

Return to top

Managing alerts

After alerts have been generated and displayed on the View alerts page in the Security & Compliance Center, you can triage, investigate, and resolve them. Here are some tasks you can perform to manage alerts.

  • Assign a status to alerts   You can assign one of the following statuses to alerts: Active (the default value), Investigating, Resolved, or Dismissed. Then, you can filter on this setting to display alerts with the same status setting. This status setting can help track the process of managing alerts.

  • View alert details   You can click an alert to display a flyout page with details about the alert. The detailed information depends on the corresponding alert policy, but it typically includes the following: name of the actual operation that triggered the alert (such as a cmdlet), a description of the activity that triggered the alert, the user (or list of users) who triggered the alert, and the name (and link to ) of the corresponding alert policy.

    • The name of the actual operation that triggered the alert, such as a cmdlet or an audit log operation.

    • A description of the activity that triggered the alert.

    • The user who triggered the alert; this is included only for alert policies that are set up to track a single user or a single activity.

    • The number of times the activity tracked by the alert was performed. Note that this number might not match that actual number of related alerts listed on the View alerts page because additional alerts might have been triggered.

    • A link to an activity list that includes an item for each activity that was performed that triggered the alert. Each entry in this list identifies when the activity occurred, the name of actual operation, (such as "FileDeleted") and the user who performed the activity, the object (such as a file, an eDiscovery case, or a mailbox) that the activity was performed on, and the IP address of the user's computer. For malware related alerts, this links to a message list.

    • The name (and link to ) of the corresponding alert policy.

  • Suppress email notifications   You can turn off (or suppress) email notifications from the flyout page for an alert. When you suppress email notifications, Office 365 won't send notifications when activities or events that match the conditions of the alert policy. However, alerts will continue to be trigger when activities performed by users match the conditions of the alert policy. You can also turn off email notifications by editing the alert policy.

  • Resolve alerts   You can mark an alert as resolved on the flyout page for an alert (which sets the status of the alert to Resolved). Unless you change the filter, resolved alerts aren't displayed on the View alerts page.

Return to top

Get support
Contact us
Expand your Office skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×