The problem with small companies and some SMEs is that having a dedicated security guy is actually a no go. No one can afford this extra resource for the sole purpose of looking over logs and alerts to spot patterns of bad behaviour. So the sys admin should do what he can to patrol the internal network and perimeter on the lookout for misdemeanours.
Today we are going to configure some Office 365 alerts, to ping us an email when certain behaviour takes place. This will generate an enormous amount of false positives, but will allow an admin to have a general “heads up” if mass deletions occur, people scoping what they shouldn’t have access to, and sharing anonymous links with external sources.
From the Admin Portal click on “Admin Centers” and select “Security and Compliance”. From the S&C window Select “Alerts” > “Manage alerts”.
Click on “+ Add an alert” and the following windows is where your alert will be configured.
Im going to name this one “Behaviour Alert” to highlight any behaviours we believe can lead to data leaks and malpractice.
Clicking on the drop down menu we can select the following criteria which will trigger the alert. I have selected the following:
- Deleted file
- Downloaded file
- Used an anonymous link
- Denied access request
- and Downloaded files to computer
We can then select specific users if we are monitoring certain individuals. Leave blank to cover all user accounts.
Configure who you want the email alerts to go to. Should be pretty straight forward.
Click save and tah daaaaaaah…. more alerts to sift through. Whilst this is not indicative of data loss or data theft. It can give a sys admin a better overview of what actions are being performed on a network that may cause disruption.