Creating an Activity alert in Office 365
Within Office 365 you can use Audit Logging to monitor specific actions admins and users take. It’s comparable with Auditing within Exchange, but for most of all actions available in your Office 365 tenant. However, you need to do a search to find those actions perhaps long after the fact. That might be adequate for most organizations, but it would be nice to get an near immediate alert on the important stuff. Luckily, that is also possible!
Consider the following scenario; you share a document via SharePoint via an Anonymous link, meaning that everyone that has the link can download the document you just shared it under. Downloads are logged, but you require an alert right after it happens.
When you got to Security & Compliance>Search & Investigation>Audit log search you will see a “New alert policy” button at the bottom of the page.
Click on that button and a new screen shows up (click on image for original size):
Give it a name and a clear description. Under “Alert Type” you can choose “Custom” or “Elevation of privilege”. Choose Custom. Under “Choose activities for alert” select “Downloaded file”
Under Users, keep the field empty in order to monitor Anonymous actions.
In the field “Send this alert to…” fill in the user ( s ) you want the alert sent to. Unfortunately it doesn’t seem to work with groups/contacts, but does work with Shared Mailboxes. Per default the address of the admin creating the alert is used.
After that the configured mailbox will get an alert mail when it’s triggered (click on image for original size).
If you no longer require the alert or need to adjust it, you can do that under Security & Compliance>Alerts>Manage Alerts (click on image for original size).
Unfortunately the alerts are less granular as the search it includes a field to further specify a file, folder or site, which is not available for alerts.
Even so, it’s a great addition for those organization that require a more pro-active monitoring of certain actions in your Office 365 tenant. There are a lot of actions from different services (SharePoint, Exchange, User provisioning, Teams etc.) that can be monitored, so check it out!
As the alert mails have a consistent format, you could create further actions based on the mail. For instance with Microsoft Flow.