Microsoft 365 keeps a very comprehensive audit log of activities performed by both users and administrators. Most organizations will have millions of entries in the audit logs each month. The questions arise about how to make sense of all this data and detect data breaches in time.
An IBM 2023 study showed the average time to detect and contain a data breach is 277 days.
This can lead to significant financial losses and generate a negative reputation for the organization. IBM also showed that security automation is one of the most important things a company can do to improve the response time for a data breach and reduce costs. Automation does many time-consuming tasks, eliminates the chance of human error, and increases your chances of detecting a data breach in time.
This is where Alert policies inside Microsoft Purview (previously known as the Security & Compliance Center) come into play. Several default alert policies can help you monitor activities such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions and external sharing. You can also create your alert policies to specify the conditions for which user activities the alert needs to be generated.
Below, you can find a quick overview of how alert policies work. It is essential to understand:
Image source: Microsoft
In general, Alert policies can detect suspicious and unusual activity in your tenant, such as:
Here are some of the critical areas covered by Alert policies:
Microsoft provides a notable set of built-in alert policies. You can find the built-in policies on the Alert policies page. You can easily recognize them by the bolded name and a “System” policy type definition. Although these policies are turned on by default, you have the option to disable them or edit the list of recipients for email notifications. Unfortunately, you cannot edit other settings for built-in policies.
The list of these built-in alert policies depends on the available licenses in your organization. Some policies will only be available if you have the appropriate Office 365 Enterprise or Office 365 US Government plan. Moreover, some policies are only available if your organization has the appropriate add-on to a standard E1/F1/G1 or E3/F3/G3 subscription. Some add-on subscription examples are Microsoft Defender for Office 365 P1 or P2 or Microsoft 365 for E5.
You can find the complete list of built-in alert policies based on your subscription on the following link.
Figure 2: Built-in alert policies
Using the Manage advanced alerts page in Microsoft Purview, you can view incidents generated by the Microsoft Defender for Cloud Apps and it’s subsystem Microsoft Cloud App Security (MCAS). Please note that this requires your organization to have MCAS licenses (only available for organizations with an Office 365 Enterprise E5 or Office 365 US Government G5 subscription). Some of the advanced features offered by MCAS are:
To create alerts based on your company policies, you need to click Policies > Alert policies inside Microsoft Purview. From there, a New alert policy action starts the configuration wizard that sets up your new alert policy’s settings.
The wizard consists of a few steps. In the first step, you need to define some basic settings. This will help you identify, filter, and manage alerts generated by this policy on the Alerts page:
On the second step, you need to choose an activity to trigger the alert and apply additional conditions if necessary:
In the image above, you see that we are trying to detect potential abuse of admin rights. In our example, a SharePoint admin is adding himself as a site collection admin to multiple sites, which allows him to access their content. In our case, the alert will be triggered if the admin gets added to more than or equal to 50 sites within 60 minutes. Such behavior is abnormal and might require some investigation into what is happening and the reasons for such an action.
In the third step, you can specify the settings for email notifications:
It is good practice to enable email notifications only for specific alert categories or high severity. If too many emails are sent, there is a higher chance that you’ll overlook the critical alert in the clutter of all other emails.
In the last step, you can review the alert policy settings before you turn on the policy. You can also save the new alert policy but keep it disabled until you enable it later at any point in time.
Once you finish the wizard, you will see your new alert policy on the Alert policies page. You will notice that it will have the Type value defined as Custom. From here, you can edit, disable, or delete it at any time.
When a user activity matches an alert policy’s settings, an alert is generated and displayed inside Microsoft Purview. The first place to view your alerts is the Home page, and the second one is the Alerts page.
On the Dashboard page, you get to see current Active alerts with their severity so you can immediately see if you have any incidents in your environment. From there, you can quickly drill to see all the alerts.
On the Alerts page, you get a more detailed view of all the triggered alerts in your environment. The page displays a table with the following information:
It is really helpful to have the filtering options on this page so you can filter based on any of the fields mentioned above. Additionally, you can also filter by alert source – either Microsoft Purview or Microsoft Defender for Cloud Apps.
Another helpful thing is the Status column. You can assign one of the following statuses: Active (default value), Investigating, or Dismissed. This can help you track the process of resolving alerts. It is easy to distinguish new alerts vs the ones you already investigated.
The Alert Policies solution is powerful and useful, but it still does have some downsides:
A lot of the functionality and usefulness of this feature depends on your licenses. A lot of this functionality depends on you having an Office 365 Enterprise E5 or additional add-on subscriptions, such as:
You need to specify a static list of User or shared mailbox emails. The typical use case is to notify group owners when some group content is shared with external users. If this sharing happens in Group A, notifications should only go out to Group A Owners. In contrast, if this happens in Group B Owners, notifications should only go out to Group B. With out-of-the-box alert policies, you would need to create a new alert for each group and manually specify the conditions and list of notification receivers to apply only for that group. Maintaining such alerts over time would be an impossible mission.
Email notifications you receive often do not contain all the critical pieces to figure out what happened without looking at the alert’s details in Microsoft Purview. Below is an example for the File Accessed alert, where you cannot see which files were accessed or on which site.
You cannot create Alert policies for all the activities recorded in the Microsoft 365 audit log. Some workloads have more significant delays when they feed events in the audit logs, and the idea behind alerts is to be close to real-time. Only a small subset of activities is available for alerts compared to the full list of activities recorded by the audit logs.
Figuring out which management role has access to which alert category is no easy task. You‘ll see that when you take a look at the matrix with all the access levels. But even with all those roles, it is still impossible to empower group owners to create alert policies for their sites. Nor can they view triggered alerts for their sites.
Microsoft 365 security automation is one of the most important things a company can do to detect data breaches as early as possible and minimize the risk of substantial financial losses. Alert policies inside Microsoft Purview will help you secure your environment with a set of built-in policies. You can also use the tools to build custom alert policies according to your company policies.
It helps if you plan on which activities you should monitor inside your organization. It will take you some time to find the right balance between getting notifications when something serious happens and avoiding being spammed.
We also mentioned some of the downsides of Alert policies. To tackle some of them, we have built the alert feature inside Syskit Point! It is a simple but powerful solution to automate your security alerts. It does not require you to have expensive Office 365 Enterprise E5 licenses. It also helps your site, Teams, and Groups owners to set up their own alerts. Since they have hands-on knowledge of their content, they are the best people to identify risky sharing or unauthorized access.