Review and take action on alerts in Office 365 Cloud App Security

Evaluation > Planning > Deployment > Utilization
Start evaluating
Start planning
Start deploying
You are here!
Next steps

You can use the Alerts page in Office 365 Cloud App Security to view potential issues and, if needed, take action.

Note

You must be a global administrator or security administrator to perform the tasks in this article. See Permissions in the Office 365 Security & Compliance Center.

How to get to the Alerts page

  1. As a global administrator or security administrator, go to https://security.microsoft.com and sign in using your work or school account.

  2. In the Security & Compliance Center, choose Alerts > Manage advanced alerts.

  3. Choose Go to Office 365 Cloud App Security.
    In the Security & Compliance Center, choose Manage Advanced Alerts to go to Office 365 Cloud App Security

  4. In the navigation bar across the top of the screen, choose Alerts.
    On the Alerts page, you can see alerts that were triggered and any actions taken.

Review and handle alerts

Alerts help you identify activities in your Office 365 cloud environment that you might want to investigate further. You might also decide to create new policies or edit existing policies based on the alerts you see. For example, if you see an administrator logging on from a strange location, you may decide to set up a policy that prevents administrators from signing in to Office 365 from certain locations.

Tip

You can filter the alerts by Category or by Severity so you can manage the most important ones first.

For each alert, look into what caused it so you can decide what action to take. To see more details about an alert and to take action, such as resolving the alert or suspending a users account, choose the alert to open a details page. On the details page, you can review the activity log, accounts, and users that are related to the alert, and take actions such as the following:

  • Dismiss If the alert was a false positive, dismiss it. You can optionally add a comment explaining why you dismissed it.

  • Resolve alert If the alert was triggered by an activity that you know isn't a threat, resolve it. You can optionally add a comment explaining why you resolved it.

  • Suspend If you suspect unauthorized sign ins on an account, for example, someone signing in from another country when you know that person is physically at a local office, you can suspend the account while you investigate what's going on.

Next steps