Microsoft Purview Compliance Manager alerts and alert policies
In this article: Learn how to set alerts for certain activities in Compliance Manager, how to manage alerts, and how to create alert policies for defining alert conditions.
If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Compliance Manager can alert you to changes as soon as they happen so that you can stay on track with your compliance goals. For example, you can set up alerts to inform you when an improvement action's score value has increased or decreased due to a configuration change in your tenant, or when an improvement action has been assigned to a user to perform implementation or testing work. View the types of events for which you can create alerts.
To create alerts, you first set up an alert policy to outline the conditions that trigger an alert and the frequency of notifications. When we detect a match to your policy conditions, you'll receive an email notification with details so you can determine whether to investigate or take further action.
All alerts are listed on the Alerts tab in Compliance Manager, and all alert policies are listed on the Alert Policies tab. All organizations have a default score change policy already set up for them.
Understanding the Alerts and Alert policies pages
Users must hold the Security reader role in Azure Active Directory (AD) in order to access the Alerts and Alert policies pages in Compliance Manager. Additional security and Compliance Manager roles are needed to work with alerts and alert policies. Get details below in Alert policy permissions.
Alert policies page
Select the Alert policies tab in Compliance Manager to view and manage your alert policies. The Alert policies page contains a table listing all the policies created by your organization. From this page, you can create new policies, edit existing policies, change activation status, and delete policies.
In the Status column, Active means the policy is in effect and triggering alerts when conditions are met. Inactive means the policy exists but isn't generating alerts. The policies table also shows you the severity of the policy and the date the policy was last modified.
To view an individual policy's details, select its row in the table. A flyout pane will appear that shows all details. Select the Action button at the bottom of the pane and select from options to edit the policy, view its alerts, or delete it. The commands to add, edit, delete, activate, and disable are also available near the top of the table, above the filters.
To get started creating an alert policy, see Create an alert policy.
Select the Alerts tab in Compliance Manager to view and manage your alerts. The Alerts page contains a table listing each alert generated by an alert policy, along with its severity and the triggering event (for example, an action's score change) and date of the alert.
To view an individual alert, select its row in the table. A flyout pane will appear that shows all details on the Overview tab of the pane. The Events log tab displays actions taken by users that triggered the alert.
The Action button at the bottom of the pane provides options to assign the alert to a user for follow-up, email the user whose actions generated the alert, or view the details of the policy that generate the alert. You can also take the same actions by selecting the round button that appears to the left of the alert name when you hover over its row, then selecting one of the buttons near the top of the table, above the filters.
To start working with alerts, see Viewing and managing alerts.
Alert policy permissions
The table below outlines which users can create and edit alerts and alert policies based on their role type. In addition to holding a Compliance Manager role, users also need an Azure AD role as follows:
- To view alerts and alert policies: the Security reader role in Azure AD
- To create or update alert policies: the Compliance administrator, Compliance data administrator, Security administrator, or Security operator role in Azure AD
Learn more about Azure roles in the Microsoft Purview compliance portal.
|Role||Can create and edit policies||Can edit alerts|
|Compliance Manager Administration||Yes||Yes|
|Compliance Manager Assessor||Yes||Yes|
|Compliance Manager Contributor||Yes||Yes|
|Compliance Manager Reader||No||No|
Create an alert policy
You can create policies to alert you when certain changes or events related to improvement actions happen. Event types are listed below.
Alert event types
- Score change: an increase or decrease in points awarded for an improvement action due to configuration changes made by someone in your organization. For example, if your organization creates an insider risk managing policy, that could increase your points for a certain action by a certain amount.
- Assignment change: an improvement action has been assigned to a user, re-assigned to a different user, or un-assigned from a user.
- Implementation status change: a user has changed an improvement action's implementation status.
- Test status change: a user has changed the testing status of an improvement action.
- Evidence change: a user has uploaded or deleted an evidence document in the Documents tab of the improvement action.
Default score change policy
Compliance Manager sets up a default alert policy to monitor for score changes in improvement actions. The default policy will generate an alert when an improvement action's score changes. Most settings for the default policy can't be edited, but you can add additional recipients for notifications.
Here are the settings for the default policy:
All matches that are detected within a span of 60 minutes will be grouped into one single alert to reduce excessive notifications. For example, if five improvement actions experience a score change within one hour, one alert will be generated.
The severity level for these alerts is medium.
The Global Admin for your organization is the default recipient of alert notifications.
You can add more alert recipients by following these steps:
- On the Alert policies page, find the Compliance Manager default alert policy.
- Check the box to thee left of its name and select the Edit button near the top, above the filters.
- Select the Next button until you come to the Alert recipients page.
- Select +Select recipients and check the boxes next to each user name on the flyout pane whom you want to receive the email notification. When done, select Add recipient, then select Next.
- On the Review and finish page, select Update to save your changes.
The default policy can't be deleted, but you can disable it by following the steps outlined below.
Policy creation steps
To create a policy to generate alerts based on one or more events, follow the steps below:
In Compliance Manager, go to the Alert policies page and select +Add to start the policy creation wizard.
On the Name and description page, enter a name for the policy and an optional description, then select Next.
On the Conditions page, select one or more events that will trigger an alert. Under the Improvement action activity header, select Add sub-conditions and check the box that appears when hovering to the left of each condition name. You can choose one or more conditions for a policy: assignment change, evidence change, implementation status change, score change, test status change. When you're finished, select Next.
On the Outcomes page, choose what happens when a policy match is detected:
- Select a severity level for the alert when a match is detected: low, medium, or high.
- Select how often you want to be notified by email when a match is detected. You can choose to be notified with each match, or choose a threshold of a certain number of matches above three.
- If you choose to be notified after three or more matches, you'll then designate the number of minutes within which that threshold must be reached (for example, 4 matches within 90 minutes).
When you're done, select Next.
On the Alert recipient page, select additional users in your organization to receive an email when the policy conditions are met. The user who creates the policy is the default recipient. Select +Select recipients and check the boxes next to each user name on the flyout pane whom you want to receive the email notification. When done, select Add recipients, then select Next.
Review all selections, and make any changes to each section by selecting , then select Next. When finished reviewing, select Create policy.
When your policy is created, select Done. You'll arrive at your Alert policies page with the flyout pane for the policy you just created already open.
Your policy is active once you create it, which means it will start detecting matches and generating alerts. See the Managing policies section below for how to inactivate or delete policies.
It can take up to 24 hours after creating or updating a policy before alerts are generated by that policy. See View alert details below to learn about triggering events and alert aggregation.
The Alert policies page contains a table listing of all your policies. See Alert policies page to further understand this page. Any user in your organization can view policies, but certain actions are restricted to certain roles; see Alert policy permissions.
View policy details
Select a policy from its row on the Alert policies page to bring up a flyout panel showing the policy's details, including its match conditions, whether and when alert notifications are sent and to whom, and severity level.
The Actions button at the bottom of the panel gives you options to edit the policy, delete the policy, or view alerts.
View a policy's alerts
From the policy's flyout panel, select Actions and then View alerts. You'll be taken directly to the Alerts page with a filtered view of all the alerts generated by that policy. Learn how to work with alerts.
Edit a policy
You can edit any aspect of a policy except for its name. If you want to change its name, you'll need to create a new policy with a new name.
To edit a policy, select the round button that appears to the left of its name when you hover over its row on the Alert policies page and select the Edit button near the top, above the filters.
You'll be taken to the policy creation wizard where you can make and save changes to your policy. You can also select the policy to bring up its details panel, and from the Actions button, select Edit policy. After working your way through the wizard again, review your selections and in the final step, select Update to save your changes.
It can take up to 24 hours before alerts are generated by the updated policy.
Activate or inactivate a policy
Policies are activated by default as soon as they're created. When active, a policy will create an alert (shown on the Alerts page) when the conditions are met, and will send a notification email to the designated recipients.
To change a policy to an inactive state, which means it won't generate alerts, select the round button that appears to the left of the policy name when you hover over its row. Then select the Disable command above the table. The status of your policy will now read Inactive. To reactivate the policy, follow the same process and select the Activate button above the filters.
Delete a policy
To delete a policy, you can select the button next to its name on the Alert policies page and select Delete near the top of the page. You can also select the policy to bring up its details panel, and from the Actions button, select Delete policy.
Deleting is permanent. Once you delete a policy, it will no longer generate alerts or email notifications. Learn more about alerts connected to deleted policies.
Viewing and managing alerts
The Alerts page shows a table with all the alerts generated by all your policies. Alerts are generated almost immediately after an event matching the policy's conditions occurs. The alert name is the same name as the policy that generated the alert.
An alert can only be generated from an active policy. Once an alert is generated, it remains listed on the Alerts page regardless of whether the policy is active or inactive.
Filter your view of alerts
You can filter your view of alerts by selecting the Filter command above the table on your Alerts page. From the Filter flyout pane, select among these filter options:
- Event type
- User assigned to
- Detection date
- Policy name
After making your selections, select Apply. The flyout pane will close and your updated Alerts page shows your filtered view. Your filters are displayed at the top of the table, though not all filter columns may show in the table.
View alert details
To view all the details about the alert, including the events which triggered it, select its row on the table. A flyout pane will show the details of the alert on the Overview tab of the panel.
The Events log tab of the flyout panel lists the activities that generated the alert, such as a score change or an assignment change, along with the name of the user associated to each action and the date detected.
The Events column on the Alerts page indicates the conditions of a policy that were detected; in other words, the activity that generated the alert. The Events log tab on the alert's details panel lists each instance of an event, the associated user, and the date detected. Event values are listed below:
- Score change: shows the number of increase or decrease in points
- Assignment change: an improvement action has been assigned to a user, re-assigned to a different user, or un-assigned from a user
- Implementation status change: a user has changed an improvement action's implementation status
- Test status change: a user has changed the testing status of an improvement action.
- Evidence change: a user has uploaded or deleted an evidence document in the Documents tab of the improvement action
- Multi-event: multiple instances of the same type of event have been detected; for example, a single improvement action that has been reassigned multiple times
- Multi-condition: multiple conditions within a single policy were detected
Alert aggregation for multiple events within one minute
When multiple events that match the conditions of an alert policy occur with one minute, they are added to an existing alert by a process called alert aggregation.
For example, when one event occurs which matches a policy, an alert is generated and displayed on the Alerts page and a notification is sent. If another event matching the same policy occurs within one minute of the first event, then Compliance Manager adds details about the additional event on the Events log tab of the existing alert instead of triggering a new alert. The goal of alert aggregation is to help reduce alert "fatigue" and let you focus and take action on fewer alerts.
Taking action on alerts
When one of your policies generates an alert, you can view the events that caused the alert and determine whether you need to verify or further investigate the events.
To take an action on an alert, select its row on the Alerts page to bring up the flyout panel with its details, select the Actions button, and chose among options listed below. You can also take actions by selecting the round button that appears to the left of the alert name when you hover over its row, and selecting one of the action buttons near the top of the page, above the filters.
Assign alert: You may want to assign the alert to a user to investigate or verify the events that caused the alert. When you choose this option, a panel opens where you can select a user in your organization and assign the alert to them. You can filter your alerts view by selecting Filters on the Alerts page, and entering the user's name in the Assigned to field.
Email alert: You may want to send an email to the user associated to the alert's activity to confirm that they took the action. When you chose this option, it opens an email template with basic information about the alert, which you can customize with further instructions and sent to the user.
View policy details: You may want to review the settings for the policy that triggered the alert. Note that when you select this option, you'll be taken directly to the Alert policies page with the policy details panel already open. You'll no longer be on your Alerts page when you close the policy details panel.
Change status: You can update status for your alert based on your review of its impact and whether it needs investigating. Learn more about alert statuses in the next section.
When an alert is created, its status is Active. As you review the details of each alert, you can update its status to any of the states listed below:
- Active: default state of the alert until its status is changed
- Investigating: alert is under investigation
- Resolved: the alert doesn't require further investigation or follow-up
- Dismissed: the alert isn't relevant or doesn't need investigation
To assign or change an alert's status, select an alert from its row on the table, select Change status near the top of the page, above the filters. From the Update alert status flyout pane, select a status from the drop-down menu, then select Update alert.
Once an alert is generated, its status is independent of the status of the policy that generated the alert. For example, it's possible to have an active alert associated to an inactive policy, and it's possible to have an investigating status on an alert that was generated by a policy that was subsequently inactivated or deleted.
When policies are deleted
When a policy is deleted, any alerts that were generated by that policy will remain on your Alerts page, but no new alerts will be generated.
Email notifications of alerts
When you create a policy, an email is sent to the user who created the policy alerting them that a match was detected. You can choose to send these email notifications to additional users in your organization. Alerts occur in near real-time, and the email notifications are sent out as soon as an alert is generated. The email will contain the event name, severity, time detected, and a link to view the alert in Compliance Manager.
Remove users from receiving alerts
If you designate alert recipients and then later decide to remove them, follow the steps below. Note that the policy creator will still receive email notifications when policy matches are detected.
- Begin the steps to edit your policy.
- When you arrive at the Alert recipients screen, select +Select recipients.
- In the Select recipients flyout panel, find the user you want to remove from notifications and uncheck the box to the left of their name, then select the Add recipients button (which has the effect of saving your selection).
- Continue through the wizard and confirm that the user does not appear under Recipients on the Review and finish page. Select Update to save your settings and finish.
Submit and view feedback for