Microsoft has added a new service into Office 365 called Advanced Security Management.
This new service allows administrators to setup alerts for various activities, from users to administrators activities, anomalous or suspicious behavior and define action to these issues, such as suspending user account.
Activation
To start using this new service, you need first to assign a license to each of your user – this requires you have activated the service from the Billing\Purchase Service section
Then you need to access the Security and Compliance administration center (as reminder you can also use this URL https://protection.office.com)
From there access the Alerts\Manage Advanced Alerts section to enable the service
Advanced Security Management Portal
Then go to the Advanced Security Management portal by hitting the blue button below the activation check box; the ASM portal URL will be like https://<your tenant>.portal.cloudappsecurity.com/
You may have already one default alert called General Anomaly Detection
When you hit the Gear button, you will be able to edit this rule (as well as all other rules you will create)
You can switch On or Off the setting you want and enabled/disabled alerting.
By default, the setting applies to ALL activities, if you want to select specific activities, just click on All monitored activity to select Selected activity
Then you can define the filter you want to select activity/ies to monitor
You can even test your selection by hitting the Edit and preview results button shown on the top right of the filtering interface
Delegate Access and IP Range Definition
Using the gear button on the top right of the navigation bar you can delegate access to the ASM portal as well as define your “authorized/identified” IP ranges
By default, all Azure Active Directory Global admins (which off course includes Office 365 Global admins) have access to the ASM portal but you can delegate the access to your security officers or auditors as off course you do not want them to be global admins
You need to add the email address of the account you want to delegate the access
The IP range option allows you to create IP ranges definition and associate them with a confidence level (category). This can be helpful if you have already detected some IP’s as risk
It is highly recommended to define your IP ranges as soon as possible only future events will be affected by this definition
Policies and Templates
If you click on the Control button in the top bar, you will be able to manage your own policies and templates
At this stage there 6 default template – you can not create your own nor edit them (yet?)
Each template is a predefined set of rules related specific activities, you can create your policy from an existing template by hitting the + (plus) sign
You can also create your policy from the Control button
The below screenshot is a new policy created from a template
You can Disable or Delete a policy using the button on the right side of the policy
Alerts
As soon as you have enabled the license for your users, the system starts gathering data and while you are working on the configuration or reviewing the portal, you may see appearing some alerts on the top bar
If you hit this notification, you will see all activities detected by the system – it may reports activities executed/completed in the past
You can access the detail of the alert by clicking on it; from there you can then review the alert and take appropriate action; in the following screenshot, the alert is related to an admin privilege granted to an account
If you have to action to apply because this is a legitimate action, you can Dismiss the alert by hitting the button at the top right of the alert details
Dismissing an alert will ask you to provide detail on the dismissal
And then you got confirmation of the dismiss action
Activities Log
You can review all activities by hitting the Activity Log button
You can review all activities performed by any user with the action, user, application and location
If you open one of the activity log, you will get even more details
Governance Logs
Finally you have one last service available called Governance Logs which will help you to audit all the activities
Notifications
If you have enabled the notifications to be alerted in case of suspicious activity, you will receive an email similar to the screenshot below showing the user and the workload involved in the suspicious activity