1. Using Oracle CASB Cloud Service
  2. Enhancing Security
  3. Creating Policies and Managing Policy Alerts
  4. Creating Policy Alerts for Office 365 Exchange Online

Creating Policy Alerts for Office 365 Exchange Online

Learn how to create policies to identify Exchange Online events that you want to be notified of ,for example, sending email to competitor email domains or adding users to Exchange Online administrative groups.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

For background about the different Office 365 resource types and that you can detect with policy alerts, see Exchange Online knowledge base.

Creating Alerts for Sending and Receiving Email Using Exchange Online

Create policy alerts for email that is sent through the Exchange Online server.

You can create policy alerts for email that is sent through the Exchange Online server, either through the Outlook application or through an external application such as Thunderbird. For example, you can be notified when:

  • Email recipients belong to external or competitor organizations.

  • Users send email from or to IP addresses that are identified as suspicious.

  • An administrator removes a protection rule related to sending email.

Note:

Alerts can't be triggered based on content in that appears in email subject line.

To create an alert for sending or receiving email:

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Values

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Select Exchange Mail.

    Resource name

    Oracle CASB Cloud Service currently defaults the Exchange Mail resource type to "all sent or received email."

    You can define email senders in the next step of the wizard. You also can define recipients and other filters (for example, destination domains) in the Conditions page of the wizard.

    Action on this resource

    Send. Identifies email sent from this Exchange Online account.

    Received. Identifies email sent to this Exchange Online account.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Next. The Conditions page is optional. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Outlook Protection Rule Resources

Understand how to use the Resource type Exchange Admin: Outlook Protection Rule.

In addition to policies for sending and receiving email, you can configure the resource type Exchange Admin: Outlook Protection Rule to detect when an administrator modifies any rule that’s applied before a user sends a message (Action: Set), disabled the rule (Action: Disable), enabled one (Action: Enable), created a rule (Action: New), or deleted one (Action: Remove).

Creating Alerts for Exchange Users, Admins, Roles, Contacts, and Groups

Create policies to identify actions taken on roles, and memberships to role groups.

Office 365 Exchange lets administrators define the tasks that groups of users and administrators can perform using role groups.

Creating Alerts for Actions Taken on Administrators

Create alerts to track changes to administrative roles and the users given these roles.

This information can be useful to people who are responsible for Office 365 administration and want to ensure that they know everyone who has access to sensitive resources in Exchange Online.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Select Exchange Admin: Admin Role Member

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial role group name.

    Regular expression. Enter .* to match all roles or a regular expression to identify a subset of all role groups.

    Action on this resource

    Trigger an alert when a member of an administrative role group is added (Action: Add), deleted (Action: Remove), or modified (Action: Update).

  5. Click Add and then add the resource type Exchange Admin: Admin Role Member, and identify one or more members and actions.

    When you are done, click Next.

  6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  7. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  8. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  9. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Changes to Administrative Groups

Create a policy that generates an alert when an administrative group is added, deleted, or modified.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: Admin Role

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial role group name.

    Regular expression. Enter .* to match all roles or a regular expression to identify a subset of all roles.

    Action on this resource

    Trigger an alert when an administrative role group is added (Action: Add), deleted (Action: Remove), or modified (Action: Update).

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Changes to User Role Assignments

Create a policy that generates an alert when a user role is added, deleted, or modified.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: User Role

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and enter type a full or partial role group name.

    Regular expression. Enter .* to match all roles or a regular expression to identify a subset of all roles.

    Action on this resource

    Any. Matches any action on the role or roles.â

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Other User, Group, Admin, Role, and Contact Resources

Create a policy that generates an alert for other actions on Exchange Online users, administrators, contacts, and groups.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Select a resource:

    • Exchange Admin: Address List Paging : Detects when address list paging is enabled (Action: Enable-AddressListPaging).

    • Exchange Admin: Contact List : Detects importing a list of contacts using a .csv file (Action: Import).

    • Exchange Admin: Distribution Group : Detects distribution group modifications (Actions: Set), new groups (Action: New), and deletions (Action: Remove).

    • Exchange Admin: Distribution Group Member : Detects distribution group member modifications (Actions: Set), new group members (Action: New), and deletions (Action: Remove).

    • Exchange Admin: Dynamic Distribution Group : Detects dynamic distribution group modifications (Actions: Set), new contacts (Action: New), and deletions (Action: Remove). The membership for these groups is based on filters and conditions, and is recalculated each time a user sends a message to the group.

    • Exchange Admin: Mail Contact : Detects contact list user modifications (Actions: Set), new contacts (Action: New), and deletions (Action: Remove).

    • Exchange Admin: Mail User : Detects email user modifications (Actions: Set), new groups (Action: New), and deletions (Action: Remove).

    • Exchange Admin: Management Role : Detects changes to role-based permission sets (Actions: Set), new roles (Action: New), and deletions (Action: Remove).

    • Exchange Admin: Management Role Assignment : Detects when someone assigns a management role to a group, policy, user or security group (Action: New), deletes the role (Action: Remove), or modifies it (Action: Set).

    • Exchange Admin: Management Role Entry : Detects changes to the permissions assigned to a management role (Actions: Set), permissions added to the role (Action: New), and permissions deleted (Action: Remove).

    • Exchange Admin: Management Scope : Detects changes to the scope of a management role (Actions: Set), new scope definitions (Action: New), and deletions (Action: Remove). These are servers, mailboxes, and other objects that a management role applies to.

    • Exchange Admin: Unified Group : Detects creation of a unified group (Action: Set-UnifiedGroup).

    • User Photo (UserPhoto) : Detects addition (Action: Set-UserPhoto) and removal (Action: Remove-UserPhoto) of a user photo.

    • Exchange Admin: User Role : Detects changes to role assignment policies. These alerts detect new, deleted, and updated policies, which are collections of user roles.

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial role group name.

    Regular expression. Enter .* to match all roles or a regular expression to identify a subset of all roles.

    Action on this resource

    Any. Matches any action on the role or roles.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for DLP, Malware, and Filtering

Create a policy that generates an alert for actions on policies for data loss prevention (DLP), or malware and content.

Office 365 Exchange lets administrators configure data loss prevention (DLP) policies to filter email messages and attachments (for example, to prevent transmission of personally identifiable information). Malware and content (spam) filtering policies prevent distribution of unwanted information and potentially destructive programs.

You can create policies to identify actions taken on DLP, malware, and content filtering policies.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: Data Loss Prevention Policy

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and enter type a full or partial DLP or malware filter policy name.

    Regular expression. Enter .* to match all DLP or malware filter policies or a regular expression to identify a subset of all of these policies.

    Action on this resource

    These alerts detect when one of these resource types has been added (Action: New), deleted (Action: Remove), or modified (Action: Set), or when a malware filter rule has been enabled or disabled.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Additional DLP, Malware, and Filtering Resources

Learn about additional resources you can use in alerts for DLP, and malware and content filtering.

Malware and content (spam) filtering policies prevent distribution of unwanted information and potentially destructive programs. These fields or field types are available for use in creating alerts:

Field or Field Type Description

Exchange Admin: Hosted Connection Filter Policy

Detects modifications to connection filter policies (Action: Set).

These policies create safe sender and blocked sender lists.

Exchange Admin: Hosted Content Filter Policy

Detects modifications to spam filter policies (Action: Set) and deleted policies (Action: Remove).

Exchange Admin: Hosted Content Filter Rule

Detects modifications to spam filter rules, which define when and how to apply spam filter policies (Action: Set), deleted rules (Action: Remove), enabled rules (Action: Enable), and disabled ones (Action: Disable).

Creating Alerts for Exchange Information Rights Management

Create a policy that generates an alert when information rights management (IRM) rules are disabled, modified, or deleted.

Office 365 Exchange lets administrators create Information Rights Management (IRM) rules. These rules protect online and offline email messages and attachments. You can create policies to identify changes to your IRM rules, for example, to be notified when these rules are disabled, modified, or deleted.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: IRM Configuration

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial rule name.

    Regular expression. If you select this option, enter .* to match all IRM rules or a regular expression to match one or more rules.

    Action on this resource

    One of the following:

    • Any. Matches any action on an IRM rule.

    • Set. Generates an alert when someone modifies a rule.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In this page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Exchange Online Access Rules

Create a policy that generates an alert when online access rules are created, deleted, or modified.

Office 365 Exchange lets administrators define access controls within and across forests. You can create policies to identify changes to your access rules, for example, to be notified when these rules are disabled, modified, or deleted.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: Availability Config

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial rule name.

    Regular expression. If you select this option, enter .* to match all rules or a regular expression to match one or more rules.

    Action on this resource

    One of the following:

    • New. Matches creation of a new rule.

    • Remove. Generates an alert when someone deletes a rule.

    • Set. Generates an alert when someone modifies a rule.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In the Conditions page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Other Exchange Online Access Resources

Learn about additional resources you can use in alerts for online access rules.

These Resource types are available for use when creating alerts.

Resource Type Description

Exchange Admin: Availability Address Space

This resource type identifies rules for creating availability address space objects for sharing free/busy data. Available actions in the policy: Create a new availability address space (Action: Add), or delete (Action: Remove).

Exchange Admin: Default Sharing Policy

This resource type identifies installation of a default sharing policy (Action: Install-DefaultSharingPolicy).

Exchange Admin: Federated Organization Identifier

This resource type identifies the federated organization identifier for the Exchange organization. Available actions in the policy: modify the identifier (Action: Set).

Exchange Admin: Organization Relationship

Identifies when an administrator defines a new relationship with an external Exchange organization (Action: New), deletes one (Action: Remove), modifies one (Action: Set), or tests the configuration for an organization relationship (Action: Test).

Exchange Admin: Outlook Web App Policy

Identifies creation of new policies to control access to web mailboxes and calendars (Action: New), deleted policies (Action: Remove), and modified policies (Action: Set).

Exchange Admin: Recipient Enforcement Provisioning Policy

Identifies when a recipient enforcement policy is created (Action: Set-RecipientEnforcementProvisioningPolicy).

Creating Alerts for Exchange Mailboxes and Folders

Create a policy that generates an alert for changes to public and user mailboxes.

Office 365 Exchange lets administrators create, update, enable, disable, and delete public folder mailboxes and user mailboxes. You can create policies to identify changes to public and user mailboxes (for example, to track any changes to the mailbox audit or diagnostic logs or to global mailbox settings).

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: Mailbox

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial mailbox name.

    Regular expression. Enter .* to match all mailboxes or a regular expression to identify a subset of all mailboxes.

    Note: If you match all mailboxes, consider narrowing the policy in later pages of this wizard. Otherwise, the policy can generate too many alerts to be practical.

    Action on this resource

    Identifies when a mailbox is created (Action: New), removed, searched, modified (Action: Set), disabled, or enabled.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In the conditions page, you can filter the policy. For a description of condition parameters, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Other Exchange Mailbox Actions

Create a policy that generates an alert for the full range of actions on public and user mailboxes.

  1. Follow steps 1 and 2 in the previous procedure.

  2. In step 3, configure a resource and action as follows:

Resource Type Description

Exchange Admin: Client Access Settings on a mailbox

Detects when any change is made to client access policies for the named mailbox (for example, setting the mailbox email protocol and ActiveSync mailbox policy).

Exchange Admin: FolderBind

 Detects when a mailbox folder is accessed (Action: FolderBind).

Exchange Admin: InboxRule

Detects enabled inbox rules, which define inbound message handling, for example, by moving particular messages to a specified folder (Action: Enable), changes to the rules (Action: Set), disabled rules (Action: Disable), new rules (Action: New), and deleted rules (Action: Remove).

Exchange Admin: Mail Public Folder

Detects when someone email-enables a public folder (allows users to post to it) (Action: Enable) or disables posting (Action: Disable).

Exchange Admin: Mailbox Audit Log

Detects when the audit log is searched.

Exchange Admin: Mailbox Calendar Folder

Detects when someone configures access and sharing permissions for a folder.

Exchange Admin: Mailbox Diagnostic Logs

Detects when someone exports the diagnostic logs.

Exchange Admin: Mailbox Folder

Detects when someone exports a folder.

Exchange Admin: Mailbox Folder Permissions

Detects when someone creates, deletes, or modifies folder permissions.

Exchange Admin: Mailbox Permission

Detects when someone adds or removes access permission to a mailbox. This can be the mailbox owner or another user.

Exchange Admin: Mailbox Relocation Request

Detects when someone submits a mailbox relocation request (Action: New-MailboxRelocationRequest).

Exchange Admin: Managed Folder Assistant

Detects when someone starts message records management (MRM) processing for one or more mailboxes.

Exchange Admin: Public Folder

Detects when a public folder is created (Action: New), its attributes are modified (Action: Set), or it’s deleted (Action: Remove).

Exchange Admin: Public Folder Client Permission

Detects when user access rights to a folder are created (Action: Add) or deleted (Action: Remove).

Exchange Admin: Public Folder Mailbox

Detects when settings for a public folder mailbox are modified (Action: Update).

Exchange Admin: Public Folder Migration Request

Detects when migration from Exchange Server 2010 is created (Action: New), deleted (Action: Remove), resumed (Action: Resume), modified (Action: Set), or suspended (Action: Suspend).

Exchange Admin: Site Mailbox

Detects when someone modifies or tests a site mailbox (which consolidates SharePoint and Exchange Online email).

Exchange Admin: Site Mailbox Provisioning Policy

Detects when someone modifies the storage quotas for a site mailbox.

Exchange Admin: Soft Deleted Mailbox

Detects when someone restores a soft-deleted mailbox to an Active Directory account.

Creating Alerts for Exchange Email Retention Rule Changes

Create a policy that generates an alert for changes to email retention rules.

Office 365 Exchange lets administrators create, update, and delete policies for how long different types of email must be kept. In general, these policies help an organization comply with internal, governmental, and legal requirements. Administrators also create, enable, disable, and delete journal rules. This controls storage of sent and received messages, again often to comply with various requirements.

Exchange Online administrators can extend retention periods by putting a mailbox on In-Place Hold or Litigation Hold.

You can create policies to identify changes to your email retention rules, for example, to be notified when these rules are disabled, modified, or deleted.

Prerequisite: You must start creating your new policy in Creating an Office 365 Policy in order to be ready to be ready to follow the steps below to specify the resource and action that should trigger the alert.

Specifying Resources and Actions to Trigger the Alert

  1. Specify Resource details, using the information in the table below:

    Field Value

    Resource

    Exchange Admin: Retention Policy

    Resource name
    You must provide a name for the selected resource type. If you select:
    • Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
    • Regular expression, enter .* to match all email retention rules.

  2. Specify an Action on the resource using the table below:

    Action on this resource Description

    Any

    Matches any action.

    New-RetentionPolicy

    A new retention policy is created.

    Remove-RetentionPolicy

    A retention policy is removed.

    Set-RetentionPolicy

    A retention policy is set.

  3. (Optional) Add more Resource name-Action pairs to refine your policy.

    You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

    • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

    • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

  4. Click Next when you have finished specifying resource name-action pairs.

    You are now on the Username page.

  5. Return to Creating an Office 365 Policy and finish the steps to complete your policy alert, resuming at step 6.

Creating Alerts for Journal Rule Changes

Create a policy that generates an alert for changes to journal rules.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Locate the policy you want to modify, and then click the Edit icon (right end of row, under ACTION).
  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
  4. In the Resource page, make these selections:
    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: Journal Rule

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and then enter a full or partial rule name.

    Regular expression. Enter .* to match all email retention rules.

    Action on this resource

    Any. Matches any action on a journal rule.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.
  6. When you are done, click Condition.

    In the Conditions page, you can filter the policy. For example, to exclude everyone in a particular domain, click Add new condition, in the Parameter drop-down list select Recipient, and in the Operator field, select Contains or Does not contain, then enter the user name or a partial name.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Mailbox Retention Rule Changes

Create a policy that generates an alert for changes to mailbox retention rules.

  1. Follow steps 1 and 2 in the previous procedure.
  2. In step 3, configure a resource and action as follows
    Resource Type Description

    Exchange Admin: Retention Policy

    Detects when someone creates a mailbox or folder retention policy (Action: New), deletes one (Action: Remove), or modifies one (Action: Set).

    Exchange Admin: Retention Policy Tag

    Detects when someone creates a mailbox or folder retention tag (Action: New), deletes one (Action: Remove), or modifies one (Action: Set).

    The tags contain particular retention settings. Retention policies contain one or more tags.

Creating Alerts for Exchange Mobile Devices and ActiveSync

Create a policy that generates an alert for actions taken on ActiveSync devices.

An administrator can configure and remove mobile devices that can synchronize with Office 365 Exchange mailboxes. The administrator can also create rules for an Exchange ActiveSync device that define conditions under which a mobile device can access Office 365 Exchange. These conditions, or access rules, define when devices are allowed, blocked, or quarantined (for example, if they are believed to be infected with malware).

You can create policies to identify actions taken on ActiveSync devices, including removing or wiping the devices clean, creating or modifying the access rules and mailbox policies for them, and setting organizations for the devices.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Exchange Admin: ActiveSyncDevice. Returns mobile devices that have been configured for synchronization (ActiveSync) with your Exchange Online account.

    Resource name

    If you select:

    Text. Select an operator from the drop-down menu (for example, Contains), and enter type a full or user name.

    Regular expression. Enter .* to match all devices.

    Action on this resource

    Any. Matches any action on an ActiveSync device.

    Clear. Matches a clear (wipe) action on an ActiveSync device.

    Remove. Matches remove (delete) action on an ActiveSync device.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Condition. In the Conditions page, you can filter the policy, for example, according to the client's IP address or time of day. For example, to limit the alert to only a particular set of users, or to everyone except a particular set of users, click Add new condition, in the Parameter drop-down list, select Recipient, and then do the following:

    • To monitor for particular users, in the Operator field select Contains and then enter the user name or a partial name.

    • To monitor for changes to anyone except a particular user or users, in the Operator field select Does not contain and then enter the name or partial name.

    For more information on conditions in Office 365 alerts, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Creating Alerts for Other ActiveSync Device Actions

Create a policy that generates an alert for actions taken on other ActiveSync resources.

There are several more resource types for which you can configure Exchange alerts for ActiveSync device actions.

  1. Follow steps 1 and 2 in the previous topic to configure the policy.

  2. When you set the action, set one the following resource types and actions:

    Resource Type Description

    Exchange Admin: ActiveSync Device Access Rule

    Triggers an alert when someone adds a device (Action: New), deletes one (Action: Remove), or modifies one (Action: Set).

    Exchange Admin: ActiveSync Mailbox Policy

    Triggers an alert when someone adds a mailbox policy (Action: New), deletes one (Action: Remove), or modifies one (Action: Set). Mailbox policies include tranport rules and security configuration settings (for example, S/MIME rules and password requirements).

    Exchange Admin: ActiveSync Access Settings

    Triggers an alert when someone modifies a global setting for an organization, such the email addresses of administrators who receive reports (Action: Set).

Other Alerts for Mobile Services and ActiveSync

Learn about additional resources you can use in alerts for mobile services and ActiveSync.

Oracle CASB Cloud Service policies support these Resource types:

Resource Type Description

Device Exchange Admin: Mobile  

Triggers an alert when someone deletes a mobile device with an ActiveSync partnership (Action: Remove) or wipes one clean (Action: Clear).                                        ​

Exchange Admin: Mobile Device Mailbox Policy 

Triggers an alert when someone creates a policy (for example, password rules) for a mobile device (Action: New), deletes a mobile device policy (Action: Remove), or modifies one (Action: Set).                             

Creating Alerts for Unified Messaging

Create a policy that generates an alert for actions taken on the Unified Messaging (UM) system that controls voice mail and the auto-attendant.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Click New Policy.

  3. In the Name page, enter a name for the policy, enter a description, select a Priority, select  Include in user risk score if you want policy violations included in user risk score computations, and then click Next.

  4. In the Resource page, make these selections:

    Field Value(s)

    Application type

    Select Office365.

    Application instance

    The application instances. Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

    Resource

    Select a resource:

    • Exchange Admin: UM Auto Attendant : Detects when an auto-attendant is enabled (Action: Enable), disabled (Action: Disable), created (Action: New), deleted (Action: Remove), or modified (Action: Set).

    • Exchange Admin: UM Call Answering Rule : Detects when a UM call answering rule is enabled (Action: Enable), disabled (Action: Disable), created (Action: New), deleted (Action: Remove), or modified (Action: Set).

    • Exchange Admin: UM Call Data Record : Detects when a UM call is exported (Action: Export).

    • Exchange Admin: UM Dial Plan : Detects when a dial plan that connects a user's telephone number and voice mail to their mailbox is created (Action: New), deleted (Action: Remove), or modified (Action: Set).

    • Exchange Admin: UM Hunt Group : Detects when a hunt group is added (Action: New) or deleted (Action: Remove). A hunt group is a logical representation of a private branch exchange (PBX) or IP PBX hunt group, and connects a UM IP gateway with a UM dial plan.

    • Exchange Admin: UM IP Gateway : Detects when someone creates a Unified Messaging (UM) gateway to connect a hunt group to other gateways, PBXes or controllers (Action: New), disables the gateway (Action: Disable), enables one (Action: Enable), deletes one (Action: Remove) or modifies one (Action: Set).

    • Exchange Admin: UM Mailbox : Detects when someone enables a mailbox for UM (Action: Enable), disables UM for a mailbox (Action: Disable), or modifies a mailbox's UM settings (Action: Set).

    • Exchange Admin: UM Mailbox PIN : Detects when someone resets the PIN for a UM-enabled mailbox (Action: Set).

    • Exchange Admin: UM Mailbox Policy : Detects when someone creates a UM mailbox policy (Action: New), deletes one (Action: Remove), or modifies one (Action: Set). UM mailbox policies define the configuration of the mailbox (for example, whether speech recognition is enabled and whether the the user is required to enter a PIN to access voice mail).

    • Exchange Admin: UM Prompt : Detects when someone exports the audio file for UM dial plans and auto-attendants.

    Resource name

    Oracle CASB Cloud Service sets the default for the Exchange Mail resource type to "all sent or received email."

    You can define email senders in the next step of the wizard. You also can define recipients and other filters (for example, destination domains) in the Conditions page of the wizard.

    Action on this resource

    Send. Identifies email sent from this Exchange Online account.

    Received. Identifies email sent to this Exchange Online account.

    When you are done, click Next.

  5. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set in the previous step.

  6. When you are done, click Next. The Conditions page is optional. For more information on conditions in Office 365 alerts, see Condition Parameters for Office 365.

  7. Click Next and set your Action notifications:

    • Show an alert in the Risk Events page is selected. When an event matches the policy, Oracle CASB Cloud Service adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

    • Send email to this address. Send email to the designated address.

  8. When you are done, click Next, review your settings, and then click Submit.

Alerts for Other Exchange Online Resources

Learn about additional Resource types you can use in alerts for Exchange Online.

Almost every administrative action that affects Exchange Online triggers an underlying function known as a cmdlet. Oracle CASB Cloud Service generates alerts when a cmdlet matches a policy action, and the objects that the cmdlet acts on match the resources in the policy (and optionally other conditions). As a result, Oracle CASB Cloud Service detects actions performed in the UI, at the command line, and using any other method that triggers an Exchange Online action.

Consult the online help for Exchange Online cmdlets for details about each cmdlet. You can create policy alerts for all available actions on these cmdlets.

Subscriptions

Learn about additional resources you can use in alerts for subscriptions in Exchange.

Exchange subscription fields and descriptions.

Field Description

Exchange Admin: Connect Subscription

Detects a new service integration (for example, with Facebook) (Action: New) or a modified one (Action: Set).

Exchange Admin: IMAP Subscription

Detects when a user creates IMAP subscriptions in their cloud-based mailbox (Action: New) or deletes one (Action: Remove).

Exchange Admin: Hotmail Subscription

Detects when a user creates Hotmail subscriptions in their cloud-based mailbox (Action: New) or modifies one (Action: Set).

Exchange Admin: POP Subscription

Detects when a user creates POP subscriptions in their cloud-based mailbox (Action: New) or modifies one (Action: Set).

Exchange Admin: Subscription

Detects when a user creates a new Hotmail, POP or IMAP subscription in their cloud-based mailbox (Action: New) or deletes one (Action: Remove).

Admin Audit Log

Learn about additional resources you can use in alerts for admin audit logs in Exchange.

This table lists the fields on the Resource page in the policy creation wizard, with the values you would use in an alert for Admin Audit Log.

Field or field type Description

Exchange Admin: Admin Audit Log

Detects when someone writes a comment in the admin audit log (Action: Write).

Exchange Admin: Admin AuditLog Config (AdminAuditLog)

Detects when someone writes a configuration entry in the audit log (Action: Write-AdminAuditLog).

Exchange Admin: Admin Audit Log Search

Detects when someone searches the admin audit log (Action: Search).

System Configuration

Learn about additional resources you can use in alerts for system configuration in Exchange.

Exchange system configurations fields and descriptions.

Field or Field Type Description

Exchange Admin: Availability Address Space

Detects when someone creates address space objects for creating free/busy information across organizations (Action: Add) or deleting them (Action: Remove).

Exchange Admin: Availability Config

Detects when someone creates an access level for free/busy information (Action: Add), deletes one (Action: Remove), or modifies one (Action: Set).

Exchange Admin: Data Classification Config

Detects when someone installs a data classification configuration (Action: Install-DataClassification).

Exchange Admin: Exchange Assistance Config

Detects when someone creates (Action: New-ExchangeAssistanceConfig) or sets (Action: Set-ExchangeAssistanceConfig) an Exchange assistance configuration.

Exchange Admin: Resource Config

Detects when someone installs a resource configuration (Action: Install-ResourceConfig).

Exchange Admin: Tenant Object Version

Detects when someone sets a tenant object version (Action: Set-TenantObjectVersion).

Migration and Move Requests

Learn about additional resources you can use in alerts for migration and move requests in Exchange.

This table lists the fields on the Resource page in the policy creation wizard, with the values you would use in an alert for migration and move requests.

Field or Field Type Description

Exchange Admin: Migration Batch

Detects when someone concludes the process to move mailboxes from on-premises to Exchange Online, or from Exchange Online to on-premises (Action: Complete), submits a migration request (Action: New), deletes the request (Action: Remove), updates the request (Action: Set), starts the process (Action: Start), or stops an in-flight migration (Action: Stop).

Exchange Admin: Migration Report

Detects when someone exports a migration report (Action: Export).

Exchange Admin: Migration Server Availability

Detects when someone tests migration server availability (Action: Test).

Exchange Admin: Migration User

Detects when someone deletes a user from a migration task (Action: Remove).

Exchange Admin: Move Request

Detects when someone creates a request to move an asynchronous mailbox or personal archive (Action: New), deletes the request (Action: Remove), restarts a move (Action: Resume), modifies a request (Action: Set), or suspends an in-flight move (Action: Suspend).

Organizations

Learn about additional resources you can use in alerts for organizations in Exchange.

This table lists the fields on the Resource page in the policy creation wizard, with the values you would use in an alert for organizations.

Field Description

Exchange Admin: Organization Config

Detects when an administrator has modified settings for an Exchange organization (Action: Set), for example, changing distribution group settings and the address book root.

Exchange Admin: Organization Customization

Detects when an administrator enables organization customization (Action: Enable). This permits the administration center to perform actions such as creating role groups, role assignment policies, and sharing policies.