Creating Policy Alerts for Office 365

Create custom policies to generate alerts for actions on resources that are specific to your Office 365 environment.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

Policies let you identify user behaviors that you want to be alerted for. In addition to automatically detecting suspicious behaviors within Office 365, you can configure Oracle CASB Cloud Service to generate alerts for particular resources and actions in Office 365.

Creating an Office 365 Policy provides general instructions for creating a policy alert for any Office 365 component. Start creating your Office 365 policy here.
Condition Parameters for Office 365 describes the condition parameters that are shared by alerts for all of the Office 365 components.

Exchange, SharePoint and OneDrive, and Active Directory each have their own specific configurations, based on the resource you select to monitor for actions that should trigger an alert.

Creating an Office 365 Policy

Follow these general steps for any policy you create to generate an alert for actions in Office 365.

The following are general steps for creating an Office 365 Exchange Online policy. Once created, when the policy conditions are met, Oracle CASB Cloud Service displays an alert in Risk Events and optionally can send the alert through email.

Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon to display it.
On the Custom tab, click New Policy.
In the Name page:
1. Enter a name for the policy.
2. (Optional) Enter a description.
3. Select a Priority.
4. If you want policy violations to be included in user risk score computations, select Include in user risk score.
5. Click Next.

On the Resource page, make these selections.

Field	Value(s)
Application type	Select Office365.
Application instance	The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.

To complete the selections on the Resource page, follow a link below to locate the topic for the particular resource type on which you want to trigger this alert.
When you finish making the rest of the selections on the Resource page, follow the link at the end of that topic to return to this page and continue with the next step below.
(Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set on the Resource page.
1. In the drop-down list, select Username contains or Username does not contain.
2. In the text box to the right, enter one or more text strings that the user name must contain, or not contain, in order to trigger the alert.
  
  Separate multiple entries with commas. With multiple entries, if any one entry is contained, or not contained, in the name of the user who took the action, the alert is triggered.
3. Click Next to go on to the next page.
(Optional) On the Conditions page, set conditions so that an alert is triggered only if the specified conditions are met.

For information on condition parameters available for use in policy alerts for Office 365, see Condition Parameters for Office 365. For information on free-form conditions, see Examples of Parameters in Free-Form Conditions.
1. Click Add condition or Add Free-From Condition.
2. Select a Parameter, an Operator, and a Value from the drop-down lists.
  
  In free-form conditions, you enter values for Parameter and Value.
3. To add another condition or free-form condition, repeat the 3 steps above.
  
  Note:
  When you specify multiple conditions, the conditions are ANDed. The alert is triggered only if all of the conditions are met. If you need to OR multiple conditions, create a separate policy for each condition.
4. Click Next to go on to the next page.
On the Action page, set your notifications:
- Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.
- Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.
When you are done, click Next, review your settings, then click Submit.

Condition Parameters for Office 365

Review the parameters and operators that are available in the Conditions page of the policy creation wizard for Office 365.

These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for Office 365.

Note:

The exact list of parameters that you see on the Conditions page depends on the resource details that you specify on the Resource page. Not all parameters are available with all resources.

Parameter	Operator	Value
IP address v4	Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to).	A comma-separated list of IPv4 addresses.
Device	Include or exclude the selected device type.	Select Desktop, Mobile, API Call, or Other.
Timestamp	The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame). Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT).	A value as a time in 24-hour HH:MM:SS format.
CASB threat intelligence IP reputation	Equal to is the only option.	To flag events from IP addresses with bad or good reputations, select: Suspicious for bad reputations. Regular for good reputations.
City, State, or Country	Equal to requires matching the name you enter in Value. Not Equal to requires not matching the name you enter in Value. In requires matching any one of several names you enter in Value. Not in requires matching none of several names you enter in Value.	The name of the city, or the state or province, in the physical address that’s associated with the IP address.