cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Maintain visibility more effectively with updates to alert policies and insights
By
Binyan Chen
Published Jan 29 2019 09:00 AM 20.7K Views
Binyan Chen
Microsoft
‎Jan 29 2019 09:00 AM

Maintain visibility more effectively with updates to alert policies and insights

‎Jan 29 2019 09:00 AM

We have heard from customers that in today’s modern workplace and threat landscape, alerts and insights are a key tool to maintain visibility and control in your environment. Office 365 alert policies and insights in Security & Compliance Center are effective tools for organizations to detect threats, monitor anomalous activities and enhance protection in Office 365. This month, we are rolling out new capabilities to enhance your alert and insight experience in Office 365.

Consume Cloud App Security alerts in Office 365 Security and Compliance center

Microsoft Cloud App Security alerts related to Office apps and services are now available in the Office 365 security and compliance center on the view alerts page. With the addition of these alerts in the compliance center, you now have a central view within one portal. In addition, these same alerts are now available via the Management Activity API.

 

security1.png

For more details, please refer to this section in documentation.

 

 

Alerts signal available in Management Activity API

 

Availability of the alerts signal in the Management Activity API has been one of the top feature requests from both customers and partners. Starting now, Office 365 Security & Compliance Alerts can be retrieved from Management Activity API as a signal. This means that you can now consume Office 365 alerts in your own way by simply integrating it with your SIEM or self-created solution.

Meanwhile, this also means that these signals can be searched from “Search-UnifiedAuditLog” for Cmdlet based log access.

 

security2.png

For more details, please refer to the schema documentation for Office 365 Security & Compliance alerts in Management Activity API.

 

Manage access to alerts with role-based permissions

Admins with various roles come to the Security and Compliance center to consume alerts. Until now, the permission for viewing alerts has been universal across the entire organization, creating a challenge for access to alerts for specific scenarios such as data loss, or privileged access.  As we expand the scenarios that alert policies support across Security & Compliance, the necessity for a more granular permission model emerges. This month, we will start to roll out the role-based access to alerts. For example, a Compliance admin will no longer have permission to see Threat management alerts in “View alerts” page. Read more about this update here.

 

Insights signal available in Management Activity API

In various places in Security & compliance Center, Office 365 provides you with insights about potential threats or configuration issues that we have identified on your behalf, such as “Users targeted by phishing campaign” or “Spam mails delivered due to allowed IP”, along with actionable recommendations for you to resolve or mitigate these issues.

 

To date, we have introduced about 30 such insights. And now, we are excited to share that these insight signals can also be retrieved via the Management Activity API. This update will start to roll out later this month.

 

security3.png

Alert policies based on S&CC insights

Along with the availability of insight signals in Management Activity API,  we are also allowing admins to configure alert policies and receive email notifications based on these insights from S&CC. Certain insight based alerts will be rolled up as on-by-default alert policies.

 

security4.png

This capability is also starting to roll out later this month. Check back for updates on related documentation.

  • Binyan Chen, Sr Program Manager, Microsoft 365 Compliance Solutions
3 Comments
Vasil Michev
MVP
‎Jan 29 2019 11:53 AM
‎Jan 29 2019 11:53 AM

The insights integration into the MA API and Alerts is great, cant wait to play with it :)

0 Likes
Like
Michael Sampson
Iron Contributor
‎Jan 31 2019 10:39 AM
‎Jan 31 2019 10:39 AM

@Binyan Chen Thanks for the updates. For MCAS integration, the documentation (https://docs.microsoft.com/en-us/Office365/SecurityCompliance/alert-policies#viewing-cloud-app-secur...) says "Changing the status of a Cloud App Security alert in the Security & Compliance Center won't update the resolution status for the same alert in the Cloud App Security portal. For example, if you mark the status of the alert as Resolved in the Security & Compliance Center, the status of the alert in the Cloud App Security portal is unchanged. To resolve or dismiss a Cloud App Security alert, manage the alert in the Cloud App Security portal."

 

A couple of questions:

1. Does this apply to alerts from Office 365 Cloud App Security as well, or just to MCAS ones?

2. If the alert is resolved in MCAS, does that status flow through to O365 Alerts? I assume the answer is no currently, but that would be nice otherwise the O365 Alerts screen is going to show out-of-date status data points that will eventually lead to them being ignored.

3. Are there any plans to change the lack of alert status integration between the two? Having to resolve in both places is duplication of effort, something we'd like to minimise.

julianmwe
Copper Contributor
‎Jun 29 2020 12:02 AM
‎Jun 29 2020 12:02 AM

@Binyan Chen Thanks for the updates. In case of the Alert that can be created by a detected phishing campaign - how often insights will be generated? How many detected mails will be required to create an alert?

 

Many thanks.

 

Julian

0 Likes
Like
Version history
Last update:
‎May 11 2021 02:08 PM
Updated by: