Office 365 has been a hot topic for some time now and a bit of a mystery that many are just starting to get their head around. Most clients we talk to are in the midst of rolling it out, or are at the beginning stages of looking into the information governance functionality offered by the Microsoft suite, to make certain it is implemented in a way that’ll ensure protection and appropriate access of information. Much of that functionality lies within the Security & Compliance Center. In this post we’ll give an overview of the admin center’s various capabilities, a rundown of Office 365 security and compliance alerts, and how these O365 security alerts can be set up and used within your organisation.

An Overview of Office 365 Security & Compliance Center Capabilities

The O365 Security & Compliance Center simply put is a central portal to manage and monitor security, governance policies and compliance within an organisation. It can be accessed by navigating to https://protection.office.com. Alternatively, you could access it from the O365 admin center as shown in the screenshot below:

Its capabilities include:

• Office 365 Security and Compliance Alerts – the ability to be notified when key events occur within your O365 environment…the focus of this article!
• Classifications – allows you to classify data with labels. Once classified, the world is your oyster so to speak…for example, you can apply retention policies and data loss prevention (DLP) policies targeting specific labels. Refer to descriptions below on DLP and data governance.
• Data Loss Prevention (DLP) – a feature that helps with mitigating loss of sensitive information; think Tax File Numbers, bank account details, employment contracts etc.
• Records Management – functionality that provides advanced file management capabilities through the entire content lifecycle from creation, through collaboration, record declaration, retention, and finally disposition.
• Data Governance – enables classification of content, application of retention and disposal policies, and general protection and security of information.
• Supervision – facilitates communication monitoring within an organisation, third parties from specific individuals if need be etc. For example, monitoring for profanities in emails that are headed out of your organisation. While there are several practical examples where this feature would be genuinely useful, it can be perceived to be ‘big brother’ so we’d advise caution. As the adage goes ‘with great power comes great responsibility’.
• Threat Management – functionality that monitors for phishing, spam and malware. The great thing here is that Microsoft uses its expansive global reach to monitor trends and patterns, so that it can actively detect for example, malware activity without you having to specifically implement safety mechanisms against that particular threat. Of course, you can always set specific phishing, malware and spam policies of your own too.
• Mail Flow – as the name suggests, this capability allows organisations to keep an eye on mail flowing in and out of your organisation to pick up any anomalies, which we provide an example of further on.
• Data Privacy – to aid organisations in meeting GDPR compliance requirements.
• Search – Yes, you guessed it, this area of the Security and Compliance Center allows administrators to search for terms, content and files across their O365 environment.
• eDiscovery – Find content that can be used as evidence for litigation, Freedom of Information Requests etc. You can imagine how useful this would be in the North American legal context where litigation is plentiful compared to here.
• Reports – View a dashboard of reports on various aspects of the Security and Compliance Center, e.g. top labels, malware status etc.

What are Office 365 Security & Compliance Alerts?

As you can see from the above functionality, the Security & Compliance Center provides a plethora of tools and features to help you keep a finger on the pulse of your organisation. However, therein lies the problem; how do you keep on top of things? Here enter Office 365 Security and Compliance Alerts. Instead of someone having to regularly monitor the various dashboards and tools, you can configure alerts (notifications) when certain events that you care about take place.

A Simple Scenario, Albeit a Nightmare

Let’s look at a simple example that might be a cause for concern within your organisation, or rephrased, the kind of nightmare scenario that keeps you awake at night! Let’s say either maliciously or accidentally (far more uncommon) an employee or contractor tries to email content with credit card numbers, Tax File Numbers (TFNs) and other sensitive info…obviously a scenario that several organisations have paid heavy prices for before. You don’t have to look too hard to find several instances of high-profile data leaks resulting in regulatory penalties, heads rolling, loss of brand goodwill etc.

How Can Office 365 Security and Compliance Alerts Be Useful in Preventing This Scenario?

How would you prevent a scenario like the above? It is actually quite simple with alerts. All you need to do is set up a data loss prevention (DLP) policy that looks for sensitive Australian financial data (helpfully, this is one of the predefined DLP templates offered by O365) such as credit card numbers, TFNs and then setup an alert that will notify you when the policy is met.

How to Use the Security & Compliance Center to Manage the Scenario Above

Please refer to the following set of steps to configure a DLP policy for proactively managing the scenario described above.

1. Start with a DLP template which in this case is ‘Australia Financial Data’.

2. Enter a helpful and recognisable name and description for your policy

3. Choose the locations where you want to protect Australian financial data. In this instance, we are choosing to do it in all locations.

4. Selecting the specific Australian financial data that you want to protect. Here, we are choosing to protect the whole lot, i.e. SWIFT Code, TFN, bank account and credit card numbers.

5. Configure the action that you want to take when the specific conditions are met. Here, we are choosing to show the policy info to the users to warn them that they are about to do something which is in breach of company data policy. So, they have a chance to rectify it before they act on it. However, if they still proceed with the action, then you can choose to get notified. Of course, in this instance we have taken the most stringent course of action by choosing to be notified on the first occurrence. Also, we haven’t allowed for anyone to be able to override it. You could use this perhaps to allow a set of individuals to override this policy if required.

6. You get to choose who can access SharePoint, OneDrive, Teams etc. In addition, you can choose override behaviour.

7. Then, you can choose to activate the policy immediately or test it out first.

8. Finally, review your settings and create the policy.

Creation of an Alert Based on the DLP Policy Defined Above

Now that the DLP policy to protect sensitive Australian financial data has been configured, all that is left to do is to create an alert that triggers when the DLP policy above is met as per the steps below.

1. Create an O365 security alert by giving it a name and useful description. Also, choose the severity and categorise the alert.

2. Configure to trigger the alert when a DLP policy match is detected.

3. Configure who should receive the notification email when this policy is met. Given the sensitivity of the data, we are choosing in this instance to get notified for every instance, i.e. no limit on the amount of notifications and there’ll be a notification for each time the DLP policy is met.

4. Finally, review the settings and you choose whether to turn it on immediately or later.

As you can see from the series of screenshots above, it only takes about five minutes to set this up and could save your organisation a world of pain. Who knew that protecting sensitive data within your organisation could be this simple!

Built-in Office 365 Security and Compliance Alerts

Office 365 also helps by providing some default built-in alerts so that you don’t have to start from scratch. For instance, the policies shown in the screenshot below are built-in policies available by default.

A Couple Ideas for Office 365 Security and Compliance Alerts to You Get Started

Now that you know how powerful O365 Security & Compliance Center alerts can be, here are a couple of custom alert ideas that you can get started with;

• Get notified each time someone tries to externally share any document from SharePoint or OneDrive for Business – Obviously, this is key to ensuring that sensitive data is not leaked outside the organisation. Of course, you could block external sharing altogether, however outward collaboration is most often required, it just needs to be carefully monitored.
• Set up notifications for when SharePoint site collection admin privileges are granted to someone – this is worth monitoring as the site collection admin role provides extensive powers in the ability to manage a site.

Office 365 Licensing Requirements

Note that the O365 Security and Compliance center is available across most service families, i.e. starting from E1 and even accessible with the business plans. However, the various functionality offered within it differs based on license. The DLP policy described in this article requires at least one of the following; Exchange Online Plan 2, SharePoint Online Plan 2 or an E3. Please refer to the Security & Compliance licensing requirements for more information.

Need Help Getting your O365 Security & Compliance Center in Order?

Please feel free to get in touch with us if you’d like to discuss O365 capabilities and how you can use it within your organisation to foster a robust and secure data environment. Or to further your own knowledge, consider our Office 365 Security & Compliance training course.