Dela via


Microsoft Purview Compliance Manager alerts and alert policies

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Overview

Compliance Manager can alert you to changes as soon as they happen so that you can stay on track with your compliance goals. For example, you can set up alerts to inform you when an improvement action's score value has increased or decreased due to a configuration change in your tenant, or when an improvement action has been assigned to a user to perform implementation or testing work. View the types of events for which you can create alerts.

To create alerts, you first set up an alert policy to outline the conditions that trigger an alert and the frequency of notifications. When we detect a match to your policy conditions, you'll receive an email notification with details so you can determine whether to investigate or take further action.

All alerts are listed on the Alerts page in Compliance Manager, and all alert policies are listed on the Policies page (in the classic Microsoft Purview compliance portal, this page is called Alert policies). All organizations have a default score change policy already set up for them.

Understanding the Policies and Alerts pages

Important

Users must hold the Security reader role in Microsoft Entra ID in order to access the Policies and Alerts pages. Additional security and Compliance Manager roles are needed to work with alerts and alert policies. Get details below in Alert policy permissions.

Policies page

Select Policies (or Alert policies if using the classic portal) in Compliance Manager to view and manage your alert policies. The Policies page contains a table listing all the policies created by your organization. From this page, you can create new policies, edit existing policies, change activation status, and delete policies.

In the Status column, Active means the policy is in effect and triggering alerts when conditions are met. Inactive means the policy exists but isn't generating alerts. The policies table also shows you the severity of the policy and the date the policy was last modified.

To view an individual policy's details, select its row in the table. A flyout pane will appear that shows all details. Select the Action button at the bottom of the pane and select from options to edit the policy, view its alerts, or delete it. The commands to add, edit, delete, activate, and disable are also available near the top of the table, above the filters.

To get started creating an alert policy, see Create an alert policy.

Alerts page

Select Alerts in Compliance Manager to view and manage your alerts. The Alerts page contains a table listing each alert generated by an alert policy, along with its severity and the triggering event (for example, an action's score change) and date of the alert.

To view an individual alert, select its row in the table. A flyout pane will appear that shows all details on the Overview tab of the pane. The Events log tab displays actions taken by users that triggered the alert.

The Actions button at the bottom of the pane provides options to assign the alert to a user for follow-up, email the user whose actions generated the alert, or view the details of the policy that generate the alert. You can also take the same actions by selecting the round button that appears to the left of the alert name when you hover over its row, then selecting one of the buttons near the top of the table, above the filters.

To start working with alerts, see Viewing and managing alerts.

Alert policy permissions

The table below outlines which users can create and edit alerts and alert policies based on their role type. In addition to holding a Compliance Manager role, users also need a Microsoft Entra role as follows:

  • To view alerts and alert policies: the Security reader role in Microsoft Entra ID.
  • To create or update alert policies: the Compliance Administrator, Compliance Data Administrator, Security Administrator, or Security Operator role in Microsoft Entra ID.

Learn more about Azure roles in the Microsoft Purview compliance portal.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Role Can create and edit policies Can edit alerts
Compliance Manager Administration Yes Yes
Compliance Manager Assessor Yes Yes
Compliance Manager Contributor Yes Yes
Compliance Manager Reader No No
Global Administrator Yes Yes

Learn how to set user permissions and assign roles for Compliance Manager.

Create an alert policy

You can create policies to alert you when certain changes or events related to improvement actions happen. Event types are listed below.

Alert event types

  • Score change: an increase or decrease in points awarded for an improvement action due to configuration changes made by someone in your organization. For example, if your organization creates an insider risk managing policy, that could increase your points for a certain action by a certain amount.
  • Assignment change: an improvement action has been assigned to a user, reassigned to a different user, or unassigned from a user.
  • Implementation status change: a user has changed an improvement action's implementation status.
  • Test status change: a user has changed the testing status of an improvement action.
  • Evidence change: a user has uploaded or deleted an evidence document in the Documents tab of the improvement action.

Default score change policy

Compliance Manager sets up a default alert policy to monitor for score changes in improvement actions. The default policy generates an alert when an improvement action's score changes. Most settings for the default policy can't be edited. But you can add other users as recipients of alert notifications, which we recommend.

Here are the settings for the default policy:

  • All matches that are detected within a span of 60 minutes will be grouped into one single alert to reduce excessive notifications. For example, if five improvement actions experience a score change within one hour, one alert is generated.

  • The severity level for these alerts is medium.

  • The Global Admin for your organization is the default recipient of alert notifications.

  • You can add more alert recipients by following these steps:

    • On the Policies page, find the Compliance Manager default alert policy.
    • Check the box to thee left of its name and select the Edit button near the top, above the filters.
    • Select the Next button until you come to the Alert recipients page.
    • Select +Select recipients and check the boxes next to each user name on the flyout pane whom you want to receive the email notification. When done, select Add recipient, then select Next.
    • On the Review and finish page, select Update to save your changes.
  • The default policy can't be deleted, but you can disable it by following the steps outlined below.

Policy creation steps

To create a policy to generate alerts based on one or more events, follow the steps below:

  1. In Compliance Manager, go to the Policies page and select Add to start the policy creation wizard.

    Tip

    In the new Microsoft Purview portal, this page is called Policies and is found on the left navigation instead of as a tab at the top.

  2. On the Name and description page, enter a name for the policy and an optional description, then select Next.

  3. On the Conditions page, select one or more events that will trigger an alert. Under the Improvement action activity header, select Add sub-conditions and check the box that appears when hovering to the left of each condition name. You can choose one or more conditions for a policy: assignment change, evidence change, implementation status change, score change, test status change. When you're finished, select Next.

  4. On the Outcomes page, choose what happens when a policy match is detected:

    • Select a severity level for the alert when a match is detected: low, medium, or high.
    • Select how often you want to be notified by email when a match is detected. You can choose to be notified with each match, or choose a threshold of a certain number of matches above three.
    • If you choose to be notified after three or more matches, you'll then designate the number of minutes within which that threshold must be reached (for example, 4 matches within 90 minutes).

    When you're done, select Next.

  5. On the Alert recipient page, select additional users in your organization to receive an email when the policy conditions are met. The user who creates the policy is the default recipient. Select +Select recipients and check the boxes next to each user name on the flyout pane whom you want to receive the email notification. When done, select Add recipients, then select Next.

  6. Review all selections, and make any changes to each section by selecting Edit. When finished reviewing, select Create policy.

  7. When your policy is created, select Done. You arrive at your Policies page with the flyout pane for the policy you just created already open.

Your policy is active once you create it, which means it starts detecting matches and generating alerts. See the Managing policies section below for how to inactivate or delete policies.

It can take up to 24 hours after creating or updating a policy before alerts are generated by that policy. See View alert details below to learn about triggering events and alert aggregation.

Managing policies

The Policies page contains a table listing of all your policies. See Policies page to further understand this page. Any user in your organization can view policies, but certain actions are restricted to certain roles; see Alert policy permissions.

Tip

In the new Microsoft Purview portal, this page is called Policies and is found on the left navigation instead of as a tab at the top.

View policy details

Select a policy from its row on the Policies page to bring up a flyout panel showing the policy's details, including its match conditions, whether and when alert notifications are sent and to whom, and severity level.

The Actions button at the bottom of the panel gives you options to edit the policy, delete the policy, or view alerts.

View a policy's alerts

From the policy's flyout panel, select Actions and then View alerts. You are taken directly to the Alerts page with a filtered view of all the alerts generated by that policy. Learn how to work with alerts.

Edit a policy

You can edit any aspect of a policy except for its name. If you want to change its name, you need to create a new policy with a new name.

To edit a policy, select the round button that appears to the left of its name when you hover over its row on the Policies page and select the Edit button near the top, above the filters.

You are taken to the policy creation wizard where you can make and save changes to your policy. You can also select the policy to bring up its details panel, and from the Actions button, select Edit policy. After working your way through the wizard again, review your selections and in the final step, select Update to save your changes.

It can take up to 24 hours before alerts are generated by the updated policy.

Activate or inactivate a policy

Policies are activated by default as soon as they're created. When active, a policy will create an alert (shown on the Alerts page) when the conditions are met, and will send a notification email to the designated recipients.

To change a policy to an inactive state, which means it won't generate alerts, select the round button that appears to the left of the policy name when you hover over its row. Then select the Disable command above the table. The status of your policy will now read Inactive. To reactivate the policy, follow the same process and select the Activate button above the filters.

Delete a policy

To delete a policy, you can select the button next to its name on the Policies page and select Delete near the top of the page. You can also select the policy to bring up its details panel, and from the Actions button, select Delete policy.

Deleting is permanent. Once you delete a policy, it will no longer generate alerts or email notifications. Learn more about alerts connected to deleted policies.

Viewing and managing alerts

The Alerts page shows a table with all the alerts generated by all your policies. Alerts are generated almost immediately after an event matching the policy's conditions occurs. The alert name is the same name as the policy that generated the alert.

An alert can only be generated from an active policy. Once an alert is generated, it remains listed on the Alerts page regardless of whether the policy is active or inactive.

Filter your view of alerts

You can filter your view of alerts by selecting the Filter command above the table on your Alerts page. From the Filter flyout pane, select among these filter options:

  • Event type
  • Severity
  • Status
  • User assigned to
  • Detection date
  • Policy name

After making your selections, select Apply. The flyout pane closes and your updated Alerts page shows your filtered view. Your filters are displayed at the top of the table, though not all filter columns may show in the table.

View alert details

To view all the details about the alert, including the events which triggered it, select its row on the table. A flyout pane shows the details of the alert on the Overview tab of the panel.

The Events log tab of the flyout panel lists the activities that generated the alert, such as a score change or an assignment change, along with the name of the user associated to each action and the date detected.

Alert events

The Event column on the Alerts page indicates the conditions of a policy that were detected; in other words, the activity that generated the alert. The Events log tab on the alert's details panel lists each instance of an event, the associated user, and the date detected. Event values are listed below:

  • Score change: shows the number of increase or decrease in points
  • Assignment change: an improvement action has been assigned to a user, reassigned to a different user, or unassigned from a user
  • Implementation status change: a user has changed an improvement action's implementation status
  • Test status change: a user has changed the testing status of an improvement action.
  • Evidence change: a user has uploaded or deleted an evidence document in the Documents tab of the improvement action
  • Multi-event: multiple instances of the same type of event have been detected; for example, a single improvement action that has been reassigned multiple times
  • Multi-condition: multiple conditions within a single policy were detected

Alert aggregation for multiple events within one minute

When multiple events that match the conditions of an alert policy occur with one minute, they're added to an existing alert by a process called alert aggregation.

For example, when one event occurs which matches a policy, an alert is generated and displayed on the Alerts page and a notification is sent. If another event matching the same policy occurs within one minute of the first event, then Compliance Manager adds details about the other event on the Events log tab of the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and let you focus and take action on fewer alerts.

Taking action on alerts

When one of your policies generates an alert, you can view the events that caused the alert and determine whether you need to verify or further investigate the events.

To take an action on an alert, select its row on the Alerts page to bring up the flyout panel with its details, select the Actions button, and chose among options listed below. You can also take actions by selecting the round button that appears to the left of the alert name when you hover over its row, and selecting one of the action buttons near the top of the page, above the filters.

Assign alert: You may want to assign the alert to a user to investigate or verify the events that caused the alert. When you choose this option, a panel opens where you can select a user in your organization and assign the alert to them. You can filter your alerts view by selecting Filters on the Alerts page, and entering the user's name in the Assigned to field.

Email alert: You may want to send an email to the user associated to the alert's activity to confirm that they took the action. When you chose this option, it opens an email template with basic information about the alert, which you can customize with further instructions and sent to the user.

View policy details: You may want to review the settings for the policy that triggered the alert. When you select this option, you are taken directly to the Policies page with the policy details panel already open. You'll no longer be on your Alerts page when you close the policy details panel.

Change status: You can update status for your alert based on your review of its impact and whether it needs investigating. Learn more about alert statuses in the next section.

Alert status

When an alert is created, its status is Active. As you review the details of each alert, you can update its status to any of the states listed below:

  • Active: default state of the alert until its status is changed
  • Investigating: alert is under investigation
  • Resolved: the alert doesn't require further investigation or follow-up
  • Dismissed: the alert isn't relevant or doesn't need investigation

To assign or change an alert's status, select an alert from its row on the table, select Change status near the top of the page, above the filters. From the Update alert status flyout pane, select a status from the drop-down menu, then select Update alert.

Once an alert is generated, its status is independent of the status of the policy that generated the alert. For example, it's possible to have an active alert associated to an inactive policy, and it's possible to have an investigating status on an alert that was generated by a policy that was later inactivated or deleted.

When policies are deleted

When a policy is deleted, any alerts that were generated by that policy remain on your Alerts page, but no new alerts are generated.

Email notifications of alerts

When you create a policy, an email is sent to the user who created the policy alerting them that a match was detected. You can choose to send these email notifications to more users in your organization. Alerts occur in near real-time, and the email notifications are sent out as soon as an alert is generated. The email contains the event name, severity, time detected, and a link to view the alert in Compliance Manager.

Remove users from receiving alerts

If you designate alert recipients and then later decide to remove them, follow the steps below. The policy creator will still receive email notifications when policy matches are detected.

  1. Begin the steps to edit your policy.
  2. When you arrive at the Alert recipients screen, select +Select recipients.
  3. In the Select recipients flyout panel, find the user you want to remove from notifications and uncheck the box to the left of their name, then select the Add recipients button (which has the effect of saving your selection).
  4. Continue through the wizard and confirm that the user doesn't appear under Recipients on the Review and finish page. Select Update to save your settings and finish.