news

Learn to configure Office 365 alerts and other security features

admin
Spread the love

Set up Office 365 alerts for suspicious activities

The CISA memo also suggested configuring Office 365 alerts in the Security and Compliance Center to help the IT team react to security incidents quickly. Office 365 alerts can be sent via SMS or email to administrators, who can sign into the alerts dashboard in the Officer 365 security portal to review the content of the alert and address the issue.

Microsoft provides more than 21 different policies that address several issues related to threat management, permissions elevation changes, information governance and data leaks, and message delivery delays. The CISA memo suggested setting up Office 365 alerts for logins from unusual locations and for user accounts that have surpassed their email thresholds.

An example of an alert in the screenshot below warns administrators when a user or multiple users delete an abnormally high volume of documents, which could indicate an intentional destruction of digital documents or it could be a user deciding to clean off their machine of old data.

Office 365 alerts
A policy can be set to alert the administrator when an unusually large number of files gets deleted from Office 365.

Microsoft recommends administrators enable all the 21 default policies in their tenant. Many of them, such as elevation of admin privilege or suspicious outgoing email patterns, can indicate the start of an attack that, if acted on quickly, can be stopped before extensive damage occurs.

While administrators can customize Office 365 alerts for multiple unusual activities, Microsoft also offers enhanced security features in its Cloud App Security product, which features proactive remediation when an alert is triggered. When an incident is detected, the system can automatically react and either block the user or stop the action without the intervention of the IT administrator.

Some of the advanced alerts Microsoft recommends administrators enable include:

  • leaked credentials;
  • unusual file share activity;
  • ransomware activity;
  • unusual administrative activity;
  • suspicious inbox forwarding;
  • impossible travel;
  • risky sign-in;
  • activity from suspicious IP addresses;
  • activity from an infrequent country.

It’s one thing to detect unusual behavior but it’s another to respond fast enough to stop a potential breach before it enters the company’s environment. The enhanced security features in Office 365 Cloud App Security blocks suspicious users and activities, similar to how Azure AD Premium P2 stops suspicious login attempts, on behalf of the administrator, which can help a fatigued IT staff from having to be on alert at all times.