How to Filter and Manage Office 365 Alerts
Many businesses have moved to Office 365, and if they haven't, they will likely soon. Office 365 is the premier choice for productivity apps for the enterprise environment. It's also more cloud-based than previous versions of Office.
That means Office 365 will need to be monitored for things like data breaches and data loss prevention. Thankfully, Microsoft makes it easy to configure security alerts based on your organization's specific criteria. So, today we are going to discuss how to filter and manage Office 365 alerts.
The Recommended Severity Ratings for Incidents in Office 365
The Security and Compliance dashboard alerts in the Office 365 Admin panel works similarly to a traditional ticketing system. The most significant difference is that security events (or tickets) are generated automatically. In a traditional ticketing system, those tickets (or alerts) would be created manually by the end-user or the IT staff.
These alerts are created automatically based on a set of criteria. For example, suppose you want to know when an account is accessed from a different country. In that case, you can create a security alert rule that looks for that data. Part of the criteria for automatically generated alerts is labeling the severity of those alerts.
Alert severities can be categorized as:
There isn't a universal way to categorize alerts or tickets based on severity. Those labels will change from business to business. IT Pros do have common advice for which severity rating to apply to tickets, though.
Issues only affecting one user where that issue has a current workaround should be classified as low.
Any issues affecting a single user (or maybe a couple of end-users) with no workaround should be categorized as medium.
Any issues preventing an entire department or business from functioning should be considered high severity.
Of course, alerts in Office 365 don't only pertain to issues affecting users. They could represent security issues as well. For instance, an alert could be created if an account is accessed from another country. Or, you could make an alert if sensitive data was sent to a recipient outside of your organization. In these cases, depending on how your business operates, you may want to classify those kinds of alerts as high severity.
How to Create a New Security Alert in Office 365
Creating a new security alert in Office 365 is easy. Only certain Office 365 subscription levels can create security alerts, though. You will need an Enterprise or U.S. Government account with one of the following subscription tiers:
E1 / F1 / G1
E3 / F3/ G3
E5 / G5
Only the E5 and G5 subscriptions have access to the advanced functionality for Office 365 alerts or any accounts with a subscription to Microsoft Defender for Office 365 P2, Microsoft 365 E5 Compliance, or the Audit add-on subscription.
To create new Office 365 alerts, first, log in to your Office 365 management dashboard and head to the 'Security and Compliance' area. Then under the 'Alert Policies' box, click on 'New Alert Policy.' This will open a web-based wizard to create a new alert policy.
In the first window of that wizard, four parameters need to be configured:
The name, severity level, and category parameters are required. Give your new alert policy a name based on the naming conventions for your organization. It is recommended to make your policy name descriptive to what it accomplishes.
The description parameter is not needed though it is a good idea to add some information about what this warning does. Always make life easier for the next person taking care of things behind you.
The severity rating can be labeled as low, medium, or high. The severity rating will change from business to business. The more impactful your incident has the potential of being, the higher of a severity rating you should give it.
Finally, choose a category for this alert. For instance, does this alert fall under data loss prevention or threat management? Microsoft has a few different options to choose from, so pick the best option that matches your intention for this alert.
When you are done filling out all four parameters, click the Next button.
The next screen assigns settings to your new Office 365 security alert. You will have a few things to configure on this screen:
How do you want the alert to be triggered?
The drop-down box under the activity section will have a list of various actions that occur. For instance, you can choose to trigger this alert when a DLP policy is broken, when a user uploads a file, when files are accessed, etc.…
The following section sets the constraints for this alert. For example, you can set this Office 365 alert to trigger every time your activity occurs, only if it occurs 15 times over 60 minutes or whenever the volume of that activity surpasses what Microsoft considers unusual.
For instance, if you create an alert for a data loss prevention issue, you may want to set your alert to trigger whenever a DLP policy is broken. On the other hand, if you are creating an Office 365 alert to notify you when too many files are uploaded, you might want to set the constraints for that rule to only trigger the alert when that activity becomes abnormal. You don't need to be notified every time someone uploads a file to OneDrive.
Once you are done configuring those two settings for your Office 365 alert, click the Next button.
Finally, the last settings page defines who should be notified when your new alert triggers and how often they should be alerted. Using the example above, if you have a triggered data loss prevention alert, you most likely only need that alert to be sent to your compliance officer and IT manager. Not everyone in your IT department needs to be notified. Likewise, you may want to be notified every time that alert occurs and not only once per day.
Once you are done with this step, click Next to continue.
The last screen in the new alert wizard only displays the parameters you just configured for verification. Take a moment to ensure that everything is set correctly for your new alert. Once you are satisfied, select whether you would like this Office 365 alert to be active immediately or whether you want to turn it on later. Then click on Finish.
Creating new Office 365 alerts is that easy. Once you complete the process once or twice, you should be able to create new alerts within moments.
How to Filter and Manage Office 365 Alerts
Filtering and managing Office 365 alerts is part of the process for maintaining security in Office 365. If you have well-thought-out alerts and notifications, managing these Office 365 alerts is easy.
To see currently active alerts, navigate to the Security and Compliance page in your Office 365 account. You will see a box labeled Recent Alerts on that page. The most recent alerts will be listed in that box. To see all alerts, click the View All Alerts link at the bottom of that box. You can filter alerts by severity when viewing all alerts.
Clicking on any of the alerts will present more information regarding that alert. For instance, you will be able to see:
The severity of the alert
When that alert was created
Comments for that alert
Details of what triggered that alert
After you investigate why the alert was triggered, you can also set that alert as resolved. Resolving an alert will remove that alert from your notifications.
An Overview of How to Filter and Manage Office 365 Alerts [Video]
In this video, John Munjoma covers managing security alerts from Microsoft Office 365. The Microsoft 365 security alerts are ideal for helping administrators notice when a potential violation of security policy has occurred. But keeping track of all of them, and filtering the false positives and maintaining situational awareness of your network, can be hard to stay on top of.
Many businesses are migrating to Office 365 if they haven't already. As IT Pros, we need to stay updated on the latest changes to Office 365 and Office 365 admin best practices. If you are an IT pro that supports Office 365, consider earning the Office 365 Certified Enterprise Administrator certification.
Creating new alerts in Office 365 is an easy process. One of the things you need to think about before creating alerts in Office 365 is your alert severity policy. The severity of triggered events in Office 365 will change from business to business. Still, it is recommended to set the severity based on how many people your alert might impact. You will also use those alert severities to filter alerts to investigate and resolve them.
To create a new alert, navigate to the Security and Compliance page in your Office 365 admin dashboard. Then click New Alert Policy.
The New Alert Policy has three pages of steps followed by a final settings verification page. The first page names and describes your alert policy, defines its severity, and categorizes your alert. The second page defines what actions occur that trigger your policy and how many times that trigger can be tripped before an alert is raised. Finally, the last page states who should be notified of your alert and how often.
Though the types of alerts you set and the severity of those alerts are highly dependent on your business, it is always a good idea to have a robust alert system in place. Sound security alerts can help maintain the security integrity of your organization.
delivered to your inbox.