Microsoft has added a new service into Office 365 called Advanced Security Management.

This new service allows administrators to setup alerts for various activities, from users to administrators activities, anomalous or suspicious behavior and define action to these issues, such as suspending user account.

Activation

To start using this new service, you need first to assign a license to each of your user – this requires you have activated the service from the Billing\Purchase Service section

image image

Then you need to access the Security and Compliance administration center (as reminder you can also use this URL https://protection.office.com)

image 

From there access the Alerts\Manage Advanced Alerts section to enable the service

image 

 

Advanced Security Management Portal

Then go to the Advanced Security Management portal by hitting the blue button below the activation check box; the ASM portal URL will be like https://<your tenant>.portal.cloudappsecurity.com/

You may have already one default alert called General Anomaly Detection

image 

When you hit the Gear button, you will be able to edit this rule (as well as all other rules you will create)

image 

You can switch On or Off the setting you want and enabled/disabled alerting.

By default, the setting applies to ALL activities, if you want to select specific activities, just click on All monitored activity to select Selected activity

image 

Then you can define the filter you want to select activity/ies to monitor

image 

You can even test your selection by hitting the Edit and preview results button shown on the top right of the filtering interface

image 

 

Delegate Access and IP Range Definition

Using the gear button on the top right of the navigation bar you can delegate access to the ASM portal as well as define your “authorized/identified” IP ranges

image 

By default, all Azure Active Directory Global admins (which off course includes Office 365 Global admins) have access to the ASM portal but you can delegate the access to your security officers or auditors as off course you do not want them to be global admins

You need to add the email address of the account you want to delegate the access

image 

The IP range option allows you to create IP ranges definition and associate them with a confidence level (category). This can be helpful if you have already detected some IP’s as risk

It is highly recommended to define your IP ranges as soon as possible only future events will be affected by this definition

imageimage 

 

Policies and Templates

If you click on the Control button in the top bar, you will be able to manage your own policies and templates

image 

At this stage there 6 default template – you can not create your own nor edit them (yet?)

Each template is a predefined set of rules related specific activities, you can create your policy from an existing template by hitting the + (plus) sign

image 

You can also create your policy from the Control button

image 

The below screenshot is a new policy created from a template

 

You can Disable or Delete a policy using the button on the right side of the policy

image 

 

Alerts

As soon as you have enabled the license for your users, the system starts gathering data and while you are working on the configuration or reviewing the portal, you may see appearing some alerts on the top bar

image 

If you hit this notification, you will see all activities detected by the system – it may reports activities executed/completed in the past

image 

You can access the detail of the alert by clicking on it; from there you can then review the alert and take appropriate action; in the following screenshot, the alert is related to an admin privilege granted to an account

image 

If you have to action to apply because this is a legitimate action, you can Dismiss the alert by hitting the button at the top right of the alert details

image 

Dismissing an alert will ask you to provide detail on the dismissal

image 

And then you got confirmation of the dismiss action

image 

 

Activities Log

You can review all activities by hitting the Activity Log button

image 

You can review all activities performed by any user with the action, user, application and location

image 

If you open one of the activity log, you will get even more details

image 

 

Governance Logs

Finally you have one last service available called Governance Logs which will help you to audit all the activities

image 

image 

 

Notifications

If you have enabled the notifications to be alerted in case of suspicious activity, you will receive an email similar to the screenshot below showing the user and the workload involved in the suspicious activity

image