On Day 22 of Cybersecurity awareness month, learn to utilize the Microsoft 365 alerting to effectively secure your organization today. Stay tuned for more blogs in the Cybersecurity blog series.
Should admins stay up to date? Do they really need to know what’s going on in the organization?
Of course, yes! Nowadays, cyber threats are increasing day-by-day tremendously. Cybercriminals are building longer ladders to break the security wall. So, admins need to review often and build security much stronger. To achieve this, first, admins need to know the suspicious activities that occur in the organization instantly. Research from IBM says, ‘In 2022, it took an average of 277 days to identify and contain a breach.’ Shortening the duration can save money. Thus, admins need to address the breach and respond to it asap to save costs and avoid damages. Microsoft 365 Alerting comes into play here. It helps admins beware of suspicious happenings in the organization at the right time and to monitor and review the alerts later. Let’s take a look at how it works and how it facilitates improving security.
How Microsoft 365 Alerts helps to improve Security?
Microsoft 365 triggers an alert whenever any suspicious activities occur in the organization. It helps admins to acknowledge and respond to risky happenings immediately. Then, admins can take action accordingly.
Threat is a mirror of security gaps. Cyber-threat is mainly a reflection of our weaknesses. An accurate vision on digital and behavioral gaps is crucial for consistent cyber resilience.
As he says, we should have an accurate vision of security gaps and elevate our security measures stronger than before. Thus, Microsoft 365 alerting helps to fill the security gap with instant monitoring of suspicious activities. But it is scattered in various places with some enhanced features. Don’t get confused! Let me explain them clearly, one by one.
Microsoft 365 Default Alert Policies
Microsoft provides 45 prebuilt alert policies to help admins to stay alerted of risky incidents, unusual activities, privilege assignments, etc., which are basic requirements when looking for security. It provides alert policies in three alert categories which include threat management, information governance, permissions, and mail flow.
These alert policies can be accessed through Microsoft Defender portal or Microsoft Purview portal. All the alert policies will be turned on by default. Admins can edit the ‘recipients’ and ‘daily notification limit’ of the alert policy. Other configurations can’t be edited as it is a default policy.
Note: You should ensure that you enable auditing for the default alert policies to generate alerts.
Microsoft 365 Custom Alert Policies
Every admin needs to customize any feature. When considering security, each organization may have different desires to improve its security. No worries! Microsoft has a provision for creating custom alerts for audit activities based on the needs. Admins can configure everything on their own based on their weakest link in the security chain. In Microsoft 365, admins can create
- Activity alerts in Microsoft 365 Defender portal
- Custom alerts in Microsoft Purview or Microsoft Defender portal
- Alert policies in Defender for Cloud Apps
Let’s see how they work and the difference between them in detail.
Microsoft 365 Activity Alerts
Activity alerts in the Microsoft Purview portal help to create alert policies for Microsoft 365 audit activities. Before creating activity alerts, ensure that you enabled auditing for your tenant.
Activity alerts are well suited for the bellow scenarios.
- If you want to monitor when a specific user performs a specific activity in your organization.
For example, you can get an alert whenever James deletes a file.
- If you want to monitor when a specific user performs certain actions.
For example, you can get an alert whenever James deletes a file, creates a site, or moves a file.
- Similarly, you can get alerts for multiple users performing a specific action or multiple actions based on your needs.
Thus, creating activity alerts will be helpful in monitoring specific users’ actions instantly in your organization. It may take up to 24 hours for alerts to get triggered after creating or updating an alert policy.
License Requirements for Microsoft 365 Activity Alerts
There is no license restriction for creating activity alerts. It will be available for business and enterprise subscriptions.
Note: Activity alerts are being deprecated. So, Microsoft recommends organizations to start using alert policies from the security and compliance center, instead of creating new activity alerts.
Now, let’s explore how to create custom alert policies in the compliance portal or Microsoft 365 defender portal.
Microsoft 365 Alert Policies in Security and Compliance Portal
Creating custom alert policies in the Compliance portal gives you more enhanced features than activity alerts. Additional to monitoring the user’s specific action, you can now get alerts whenever a bulk action happens in the organization within a specified time limit.
There are some scenarios in which Microsoft 365 custom alerts save you!
- Get an alert whenever a user performs a specific action.
For example, you can get an alert whenever a user deletes a file in the organization.
- Get an alert whenever a single user performs a bulk action within a specific time limit.
For example, you can get an alert whenever James deletes more than 15 files in 60 minutes.
- Get an alert whenever a bulk action happens in the organization. Here, it may be performed by a single user or multiple users.
For example, you can get an alert whenever more than 15 files are deleted in 60 minutes.
- Whenever a single user or multiple users performs an unusual activity. Microsoft has some activity volume restriction which is considered usual in the organization. When the activity goes beyond the usual level, it is considered unusual, and we can’t identify the unusual level for each activity.
Note: For these unusual alerts, it will take up to a week for the policy to generate anomaly alerts.
License Requirements for Microsoft 365 Advanced Alerts
- With Office 365 Business subscriptions, you can only create a single event alert.
- For creating advanced alerts like threshold and unusual activities, you should have enterprise E5/G5 subscriptions. For organizations having E1/F1/G1 or E3/F3/G3, you should have a Microsoft Defender for Office 365 P2 or a Microsoft E5 Compliance or an E5 eDiscovery and Audit add-on subscription.
Alerts in Office 365 Cloud App Security
Microsoft has renamed Microsoft Cloud App Security as Microsoft Defender for Cloud Apps. So, many have gotten confused with the name change, what to use, and when to use it. To avoid confusion, you should clearly understand the difference between Microsoft Defender for Cloud Apps and Office 365 Cloud App Security. Office 365 Cloud App security is a subset of Microsoft Defender for Cloud Apps.
Office 365 Cloud App Security helps admins to beware of threats through advanced investigation and alerts. It consists of 34 prebuilt alert policies for threat detection like malware detection, ransomware activity, risky sign-ins, unusual administrative activity, and more. You can access these alert policies through Cloud app security portal or Defender portal.
Let’s see how these alerts help admins to stay protected from threats.
- It helps to detect anomalies in the Office 365 apps and alert admins instantly.
- You can get alerts for a specific user or multiple users or groups. Else, you can exclude specific users or groups according to your needs.
- It helps to monitor and control real-time sessions for Office 365 apps with Conditional Access App Control.
- It provides cloud platform security for Azure.
- Additional to prebuilt policies, you can create custom policies with required configurations to meet your organizational needs.
License Requirements for Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription.
How to View alerts in Microsoft 365?
- You can view the triggered alerts in the Microsoft Defender portal or Microsoft Purview portal through the Alerts page.
- To view triggered alerts, you should have respective RBAC permissions for each alert category.
- Alerts triggered by anomaly detection policies in Defender for Cloud Apps can also be viewed in the Microsoft Purview portal. Thus, admins can manage all generated alerts through the Microsoft Purview portal.
Drawbacks of Microsoft 365 Alerting
- For advanced alerts, you should have an enterprise license or add-on licenses.
- When creating custom policies in Defender or Purview portal, you can’t select specific groups, or usernames to generate alerts.
- Only a limited number of common activities are available for custom policy creation.
- Only few prebuilt categories are available for alert policies. Rest of the alerts will come under ‘Others’ category. Also, we can’t create custom labels to categorize the alerts.
Thus, we have seen how Microsoft 365 alerts are scattered in various places with enhanced features. I hope this blog helps you to precisely understand the Microsoft alerting feature and know when to use these alerts in your organization. You can drop your queries in the comment section. Happy Alerting!