For more information, see User tags in Microsoft Defender for Office 365. You can use system user tags or custom user tags. This results in the alerts triggered by the policy to include the context of the impacted user. You can also define user tags as a condition of an alert policy.
The available conditions are dependent on the selected activity. You can also configure a condition that triggers an alert when the activity is performed by any user in your organization. Common conditions include IP addresses (so that an alert is triggered when the user performs the activity on a computer with a specific IP address or within an IP address range), whether an alert is triggered if a specific user or users perform that activity, and whether the activity is performed on a specific file name or URL. For most activities, you can define additional conditions that must be met to trigger an alert. In general, activities related to malware campaigns and phishing attacks require an E5/G5 subscription or an E1/F1/G1 or E3/F3/G3 subscription with an Defender for Office 365 Plan 2 add-on subscription.Īctivity conditions. The activities that you can track depend on your organization's Office 365 Enterprise or Office 365 US Government plan. Go to the Microsoft 365 Defender portal and under Email & collaboration select Policies & rules > Alert policy. Go to the Microsoft 365 compliance center, and then select Policies > Alert > Alert policies. To view and create alert policies: Microsoft 365 compliance center For example, you can view alerts that match the conditions from the same category or view alerts with the same severity level. These two settings help you manage alert policies (and the alerts that are triggered when the policy conditions are matched) because you can filter on these settings when managing policies and viewing alerts in the compliance center. You also categorize the policy and assign it a severity level. Managing alerts consists of assigning an alert status to help track and manage any investigation.Īn alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered. For more information, see RBAC permissions required to view alerts.Īn admin manages alerts in the compliance center. The alerts that an admin or other users can see that on the Alerts page is determined by the roles assigned to the user. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. Microsoft 365 generates an alert that's displayed on the Alerts page in Microsoft 365 compliance center or Defender portal.
In the case of malware attacks, infected email messages sent to users in your organization trigger an alert. This is because the policy has to be synced to the alert detection engine.Ī user performs an activity that matches the conditions of an alert policy. It takes up to 24 hours after creating or updating an alert policy before alerts can be triggered by the policy. To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the Microsoft 365 compliance center or the Defender portal. You can also create alert policies by using the New-ProtectionAlert cmdlet in Security & Compliance Center PowerShell. Here's a quick overview of how alert policies work and the alerts that are triggers when user or admin activity matches the conditions of an alert policy.Īn admin in your organization creates, configures, and turns on an alert policy by using the Alert policies page in the Microsoft 365 compliance center or the Microsoft 365 Defender portal. Also note that alert policies are available in Office 365 GCC, GCC High, and DoD US government environments. The functionality that requires an E5/G5 or add-on subscription is highlighted in this topic. Advanced functionality is only available for organizations with an E5/G5 subscription, or for organizations that have an E1/F1/G1 or E3/F3/G3 subscription and a Microsoft Defender for Office 365 P2 or a Microsoft 365 E5 Compliance or an E5 eDiscovery and Audit add-on subscription. Alert policies are available for organizations with a Microsoft 365 Enterprise, Office 365 Enterprise, or Office 365 US Government E1/F1/G1, E3/F3/G3, or E5/G5 subscription.