In this article I will show you how to setup log alert polcies for Office 365 administrators.  There is a long list of alerts that can be configured, see list below.  Before you begin you will need to enable audit logging in the new Office 365 Security & Compliance Center.

Enable Audit Logging

  1. Login to the Security & Compliance Center at https://protection.office.com
  2. Click Start recording user and admin activity on the Audit log search page.
    It may take several hours to be enabled and for logs to appear.

Grant Required Permissions to be able to create alert policies

To be able to create new alert policies you must add your Office 365 user account to the Security Administrator group within Security & Compliance center.  These steps must be done even if you are already an Office 365 Administrator.

  1. Choose Permissions and tick the checkbox next to the Security Administrator group
    permissions_security_administrator_group-1024x740 How to create Alert Policies in Office 365 Security & Compliance Center
  2. In the right preview pane, Click Edit role group or click Edit next to Members.
    o365_permissions_edit_role_group How to create Alert Policies in Office 365 Security & Compliance Center
  3. Click Choose members and Edit
    o365_permissions_add_user_to_group How to create Alert Policies in Office 365 Security & Compliance Center
  4. Click Add, choose your user account and then click Done
    o365_permissions_group_choose_members How to create Alert Policies in Office 365 Security & Compliance Center
  5. Create a new log alert policy

When you visit the Alerts | Alert policies page you will see that Microsoft has created some preconfigured alerts.  For this example we are going to create our own log alert that fires everytime an Office 365 user creates an anonymous share link from OneDrive or Sharepoint.  This is a good alert to have configured since anonymous links can lead to data leakage.

  1. Choose Alerts | Alert policies from the left nav menu and click the blue + New alert policy button.
    If you do not see this blue button you will need to grant yourself the required permissions within Security & Compliance center, see steps above.
    office-365-alert-policies-1024x558 How to create Alert Policies in Office 365 Security & Compliance Center
  2. Give your alert a NameDescription, and Severity then click Next.
    anonymous-link-created-alert-rule-001-1024x619 How to create Alert Policies in Office 365 Security & Compliance Center
  3. Chose the activity you would like to alert on,  in this example choose User Created an anonymous link and click Next.
    anonymous-link-created-alert-rule-002-1024x619 How to create Alert Policies in Office 365 Security & Compliance Center
  4. Enter the email address(es) of people you would like to receive the alert and click Next.
    anonymous-link-created-alert-rule-003-1024x619 How to create Alert Policies in Office 365 Security & Compliance Center
  5. Review your settings and click Finish
    anonymous-link-created-alert-rule-004-1024x619 How to create Alert Policies in Office 365 Security & Compliance Center
  6. Our newly created Alert policy is now active, Congratulations!
    anonymous-link-created-alert-rule-005-1024x523 How to create Alert Policies in Office 365 Security & Compliance Center

List of Available Log Alerts

Common user activities

  • User submitted email
  • Detected malware in file
  • Shared file or folder
  • Created mail forward/redirect rule
  • Any file or folder activity
  • Changed file or folder
  • Shared file externally
  • Granted Exchange admin permission
  • Granted mailbox permission
  • External user file activity
  • DLP policy match

File and folder activities

  • Accessed file
  • Checked in file
  • Checked out file
  • Copied file
  • Deleted file
  • Discarded file checkout
  • Downloaded file
  • Modified file
  • Moved file
  • Renamed file
  • Restored file
  • Uploaded file

File sharing activities

  • Accepted access request
  • Accepted sharing invitation
  • Created a company shareable link
  • Created access request
  • Created an anonymous link
  • Created sharing invitation
  • Denied access request
  • Removed a company shareable link
  • Removed an anonymous link
  • Shared file, folder, or site
  • Updated an anonymous link
  • Used an anonymous link

Synchronization events

  • Allowed computer to sync files
  • Blocked computer from syncing files
  • Downloaded files to computer
  • Downloaded file changes to computer
  • Uploaded files to document library
  • Uploaded file changes to document library

Site administration activities

  • Added exempt user agent
  • Added site collection admin
  • Added user or group to SharePoint group
  • Allowed user to create groups
  • Changed exempt user agents
  • Changed a sharing policy
  • Created group
  • Created Sent To connection
  • Created site collection
  • Deleted group
  • Deleted Sent To connection
  • Enabled document preview
  • Enabled legacy workflow
  • Enabled Office on Demand
  • Enabled RSS feeds
  • Enabled result source for People Searches
  • Modified site permissions
  • Removed user or group from SharePoint group
  • Renamed site
  • Requested site admin permissions
  • Set host site
  • Updated group

via How to create Alert Policies in Office 365 Security & Compliance Center – jcutrer.com

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This