In the Security & Compliance Center (protection.office.com), you can select Alerts | View alerts from the left navigation pane to view, filter, and resolve alerts:
To view more detail on an alert, check the box to its left. This opens a pane with more detail and the option to resolve it as seen in the screenshot that follows:
If you select Resolve on an alert, you're able to modify its status and add additional comments. For the status drop-down list, you can choose from the following to help track the status of the alert:
- Keep it Active and just add comments: No change, except perhaps notes.
- Investigating: Currently being looked into.
- Resolved: Action has been taken so that the alert is no longer a concern.
- Dismissed: The alert is a false positive or no action will be taken.
As seen in the following screenshot you can choose the alert status from a dropdown, enter accompanying comments, and save to update the alert accordingly.
Under Alert policies, you can adjust existing policies (and some default policies). For each policy, you'll configure the severity, category, conditions, actions, and so on. In the following example, the policy is default and is looking for anomalous activity in external file sharing:
Here's a list of other activities (conditions) you could base a policy on. For the exam, be sure to become familiar with the types of policies you can create with these actions:
|
Common user activities
|
File and folder activities |
File sharing activities |
Synchronization events |
Site administration activities |
|
Detected malware in an email message |
Accessed file |
Accepted access request |
Allowed computer to sync files |
Added exempt user agent |
|
Phishing email detected at time of delivery |
Checked in file |
Accepted sharing invitation |
Blocked computer from syncing files |
Added site collection admin |
|
User submitted email |
Checked out file |
Created a company shareable link |
Downloaded files to computer |
Added user or group to SharePoint group |
|
Detected malware in file |
Copied file |
Created access request |
Downloaded file changes to computer |
Allowed user to create groups |
|
Shared file or folder |
Deleted file |
Created an anonymous link |
Uploaded files to document library |
Changed exempt user agents |
|
Created mail forward/redirect rule |
Discarded file checkout |
Created sharing invitation |
Uploaded file changes to document library |
Changed a sharing policy |
|
Any file or folder activity |
Downloaded file |
Denied access request |
Created group |
|
|
Changed file or folder |
Modified file |
Removed a company shareable link |
Created Sent To connection |
|
|
Shared file externally |
Moved file |
Removed an anonymous link |
Created site collection |
|
|
Granted Exchange admin permission |
Renamed file |
Shared file, folder, or site |
Deleted group |
|
|
Granted mailbox permission |
Restored file |
Updated an anonymous link |
Deleted Sent To connection |
|
|
External user file activity |
Uploaded file |
Used an anonymous link |
Enabled document preview |
|
|
DLP policy match |
Enabled legacy workflow |
|||
|
An eDiscovery search was started or exported |
Enabled Office on Demand |
|||
|
Enabled RSS feeds |
||||
|
Enabled result source for people searches |
||||
|
Modified site permissions |
||||
|
Removed user or group from SharePoint group |
||||
|
Renamed site |
||||
|
Requested site admin permissions |
||||
|
Set host site |
||||
|
Updated group |
A good example of an alert you might be asked to create would be one that notifies someone when a file from a particularly sensitive site, or with a certain name, is shared externally. The following screenshot shows the configuration of an alert's trigger and scope:
Manage advanced alerts takes you to the Cloud App Security dashboard we discussed in a previous chapter.
In the next section, we'll look into the Azure AD Identity Protection dashboard and its alerts.