Forum Discussion
Getting Office 365 Security Events and Incidents in Sentinel
You can configure notifications by updating the alert policies at protection.office.com
Thijs Lecomte How do I configure a policy to enable alerts for custom detections? The category and "Activity is" selectors in the alert policy wizard do not seem to provide a means to setup alerts for Office 365 custom detections. I'm about ready to just move my custom detections back to the ATP level (if anybody knows of an automated way to do that let me know!).
- Could you specify custom detections?
Not sure if I followThijs Lecomte Say you do this:
go to security.microsoft.com/advanced-huntingYou create a query and then "Create detection rule"
Now you've got a Custom Detection; how do you set a notification policy for it? Within the detection you can configure actions, but email notifications/alerts isn't one of them. I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP. What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level.
