Creating Policy Alerts for Office 365
Create custom policies to generate alerts for actions on resources that are specific to your Office 365 environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.
Policies let you identify user behaviors that you want to be alerted for. In addition to automatically detecting suspicious behaviors within Office 365, you can configure Oracle CASB Cloud Service to generate alerts for particular resources and actions in Office 365.
-
Creating an Office 365 Policy provides general instructions for creating a policy alert for any Office 365 component. Start creating your Office 365 policy here.
-
Condition Parameters for Office 365 describes the condition parameters that are shared by alerts for all of the Office 365 components.
Exchange, SharePoint and OneDrive, and Active Directory each have their own specific configurations, based on the resource you select to monitor for actions that should trigger an alert.
Creating an Office 365 Policy
Follow these general steps for any policy you create to generate an alert for actions in Office 365.
The following are general steps for creating an Office 365 Exchange Online policy. Once created, when the policy conditions are met, Oracle CASB Cloud Service displays an alert in Risk Events and optionally can send the alert through email.
Condition Parameters for Office 365
Review the parameters and operators that are available in the Conditions page of the policy creation wizard for Office 365.
These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for Office 365.
Note:
The exact list of parameters that you see on the Conditions page depends on the resource details that you specify on the Resource page. Not all parameters are available with all resources.
Parameter | Operator | Value |
---|---|---|
IP address v4 |
Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to). |
A comma-separated list of IPv4 addresses. |
Device |
Include or exclude the selected device type. |
Select Desktop, Mobile, API Call, or Other. |
Timestamp |
The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame). Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT). |
A value as a time in 24-hour HH:MM:SS format. |
CASB threat intelligence IP reputation |
Equal to is the only option. |
To flag events from IP addresses with bad or good reputations, select:
|
City, State, or Country |
|
The name of the city, or the state or province, in the physical address that’s associated with the IP address. |