Configure alerts for your 365 Tenant from the Security & Compliance CenterAlex Fields
If you have an Office 365 or Microsoft 365 subscription, then you should check out the Security & Compliance Center–there are plenty of tools in here to help you step up your game. Generally speaking, nothing is really configured by default, so if you want to be secure or compliant, just know that these things don’t happen by magic–you have to do the work to make it happen. Nevertheless, in recent months, Microsoft has been making strides toward giving us all a better “head start” to speak. For example:
- Auditing is now enabled by default (this did not used to be the case)
- Anti-spoofing technology has come to all subscriptions, not just those with ATP
- Some default alerts have been added into certain subscriptions
Today, let’s take a look at configuring alerts through the Security & Compliance center. With E1/G1, E3/G3 and E5/G5 subscriptions, there will also be a few default alerts enabled (which will send email notifications to tenant admins). I also found these available in Microsoft 365 Business subscriptions.
Browse to the Security & Compliance admin center, then choose Alerts > Alert policies.
From here, depending on your subscription level, you may see these four policies which are created by default:
- eDiscovery search started or exported
- Elevation of Exchange admin privilege
- Creation of forwarding/redirect rule
- Messages have been delayed
This is a good list of default alerts. I especially like elevation of privilege and creation of forwarding/redirect rules (this is one of the first things attackers will attempt if they gain control of a mailbox account). There will be quite a few more if you have the E5/G5 plan–some pertaining to malware campaigns, and others like “unusual” file sharing or deletion activities. See here for more detail on the default policies included with each subscription.
If you don’t monitor the inboxes for your tenant admins day to day, then you should probably edit these default policies now, and change the recipients to people who will actually see the alerts, and take action.
When an event occurs that trips this alert, then you can expect an email notification, like the one pictured below.
Create your own alerts
Next, you can also create other alerts, to your liking. Every tenant has access to certain alerts, and if you have subscriptions such as E5, Threat intelligence or Advanced compliance, then you will see even more options available when choosing alerts. In this example, I’ll create a simple alert for Malware detected in a SharePoint or OneDrive file–this one should be available in all subscriptions.
You can search for activities–find Detected malware in file in this list, and continue.
Now choose a recipient (or more than one). If you are a provider it can be beneficial to add your support contact to the GAL so it is available here.
Review your new alert and click Finish.
Wasn’t that easy? You can create all types of alerts–get notified when stuff happens–files or groups are changed, deleted, or new admin privilege is given to a site collection–that’s a good one, too!
Think about the things that should or should not happen in your organization. What do you need to know about? See if you can design some alerts based on your own criteria.
A note about PowerShell
In theory, these alerts are controlled by the New-ProtectionAlert cmdlet available via the Security & Compliance Center PowerShell module. However, no matter how simple I make the rule, I cannot seem to create it in PowerShell, without seeing this message:
Creating advanced alert policies requires an Office 365 E5 subscription or Office 365 E3 subscription with an Office 365 Threat Intelligence or Office 365 EquivioAnalytics add-on subscription for your organization. With your current subscription, only single event alert can be created.
I have seen others out there comment to the same effect, so I assume Microsoft has to straighten something out. The identical rule can be created in the web interface, without issue, but apparently in PowerShell, it’s not the right subscription? Go figure.