Working with alerts and alert plans
Alerts and their associated alert plans allow those responsible for the security of your environment to stay on top of changes and activities as they occur.
Through the Alerts page you can:
- View the number of alerts created in the last 24 hours for each search.
- View the number of associated alert plans.
- Enable and disable individual alerts.
- Remove alerts.
- Add and remove associated alert plans.
- Review searches that have alerts created for them.
By clicking on an alert you can:
- View and access all alert plans associated with alert.
- Edit the alert.
- View its associated search.
For details, see Managing alerts and alert plans
Managing alerts and alert plans
Creating an alert for a search allows those responsible for the security of your environment to receive detailed information about vital changes and activities as they occur.
The alert plan allows you to configure who will receive alerts so that they can take the appropriate action to address the outlined risks to your environment.
|
|
NOTE: You can select to assign any number of alert plans to an alert. |
To create an alert with an associated alert plan
- Under the Searches tab, select the search.
- Click Alert.
- Configure the alert plan to associate with the alert.
To create and enable a new alert plan, enter a name for it and click Save. Next, select the link to enter the email recipients for the alert, and click Save.
To edit an alert and associated alert plan
- Under the Alerts tab, select Alerts.
- Select the required alert, and click Edit Alert.
- Add and remove the alert plans associate with the alert as required.
To remove an alert
|
|
NOTE: The default alert plan cannot be removed. |
- Under the Alerts tab, select Alerts.
- Select the required alert, and click the X icon to delete it.
To create an alert plan
- Under the Alerts tab, select Alert Plans.
- Click New Plan.
- Enter a name for the alert plan and enter the required email address, and click Save.
- Click Send Test and OK to verify that a test alert is sent to the appropriate recipients.
To rename an alert plan
|
|
NOTE: The default alert plan cannot be renamed. |
- Under the Alerts tab, select Alert Plans.
- Select the required alert plan, click in the name field, rename as required, and click Save.
To remove an alert plan
- Under the Alerts tab, select Alert Plans.
- Select the required alert, and click the X icon to delete it.
Auditing Azure Active Directory
On Demand Audit simplifies the audit process by tracking, auditing, and reporting on activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.
|
|
NOTE: An Azure Active Directory Premium (P1) license or higher is required for On Demand Audit to audit sign-in and risky sign-in activity. |
You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.
For example, you can easily track and report on activities such as:
- When users and groups are added to and removed from the directory.
- When user and group attributes are changed.
- Successful and failed logins.
- Suspicious sign-in activity.
Event collection and Azure Active Directory subscription
Historical auditing is dependent on your Azure Active Directory subscription.
| Subscription | On Demand AuditEvent Collection |
|---|---|
| Azure Active Directory license | Azure AD - Audit Log historical events in the last 7 days |
| Azure Active Directory premium license (Optional) | Azure AD - Audit Log historical events in the last 30 days |
| Azure Active Directory premium license (Required) | AzureAD - Sign-ins historical events in the last 30 days |
|
Azure Active Directory Premium license (Required) |
AzureAD - Risky Sign-ins historical events in the last 90 days |
|
|
NOTE: Azure Active Directory Premium P2 subscription is required to include the Risk Level and Risk Detail information in events. |