Office 365 Security Auditing & Alerts
This blog entry is a continuation of our series describing how the CoreView solution provides a powerful toolset for administrators to perform security monitoring, auditing and forensic analysis for Office 365 events, plus the security watchdog features to provide automated alerts for known security risks. This topic covers the most common security alerts configured by customers using CoreView to perform those watchdog tasks.
CoreView enables the configuration of automated alerts for any event activity reported in Office 365 log files. The simplified wizard UI to configure these alerts makes it easy for IT administrators to choose the available log categories and associated events from available picklists and activities to identify the exact security risks they want to monitor. The wizard UI walks the administrator through a six-step process to identify the log event and select the recipients to alert. These alert notifications are generated from the audit activities performed by CoreView on an almost real-time basis. When a preconfigured security watchdog setting matches a known compliance breach, an alert message is sent via e-mail to a specified distribution list. Administrators can then take immediate action to rectify the situation and close the security concern.
(Step 2: Select Action — Configurable security watchdog alerts for Exchange e-mail events)
(Step 3: Define Filters — Configurable security watchdog alerts for Exchange e-mail events)
#1 – Alerts for Mailbox Permission Changes
The first of these automated alerts that I’d like to discuss are the security permission changes to user mailboxes. Since e-mail has become the standard form of business communications, the access rights to executive mailboxes have been closely guarded. Every organization wants to keep tabs on who has access to their executive teams’ communications, so this security alert should come as no surprise. As you can see from the Mailbox Security report below it is simple for CoreView to identify who has access to different mailboxes. By simply configuring an alert notification for each executive mailbox the IT administrators will be immediately notified when permission changes are made for those end users.
#2 – Mailboxes with Auto-forwards Pointing Outside the Organization
The next example is also an obvious one that organizations have documented as a security compliance standard. No mailboxes should be allowed to auto-forward messages outside the organization. In the event that a user configures this type of auto-forward setting, an automated alert from CoreView will notify the IT administrators responsible for tracking this compliance issue so they can quickly remediate the problem.
#3 – Alerts for Privileged Action Policy Changes in Azure AD
Another example of popular security alert notifications comes from changes to AD policies. Whenever someone with Privileged Action rights makes a change to a security policy in AD then that change should notify all IT administrators who have responsibility to monitor Office 365 security compliance. In the event that this policy change was made in error, such as modifying password requirements that don’t match the documented company standards, then the change should be quickly rectified to maintain security compliance standards.
#4 – Identifying Likely Malware Infected Mailboxes
A simple alert configuration can be made using CoreView to identify mailboxes that are possibly infected with Malware. If an account is sending thousands of messages a day to both internal and external addresses, then it is definitely an investigation that needs to be made by IT administrators. Being quickly notified for these type of Malware infected accounts can help administrators remediate the issue before it becomes critical.
#5 – Alerts for Password Policy Compliance Issues
Finally, most organizations want to track password settings on accounts and flag those with incorrect provisions allowed. These automated alerts from CoreView will provide the administrators with enough information so they can perform follow-up investigations with those end-user accounts and fix the password policies as needed. An example of this type of Password Setting report is shown below. Since CoreView monitors all these activities and configuration settings, it is simple for IT administrators to configure alert notifications for specific security concerns.
There you have it. If you are looking for a security watchdog to alert you when known security issues occur, then CoreView is the solution you need. If you are interested in finding out more about our CoreView solution and how it can help with security compliance audits, perform security watchdog alerts, and cut your administration time in half, please visit our overview page online, or sign-up for a free trial at http://www.CoreView.com/free-trial