The RM Proactive Alert Monitoring service enables RM to receive alerts from your Microsoft® 365™ tenancy, whereupon we will investigate the alert and provide you with guidance enabling you to act upon the cause of the alert. Alerts will be generated based on a pre-defined, standard configuration applied through our delivery of service for Microsoft 365 Security Monitoring Alert Config.

The list below details the type of alerts covered by this service.

Note: Configuration of alerts and policies is subject to the active licences/subscriptions of your Microsoft 365 tenancy.

Alert / Policy type	Details	RM category
Creation of forwarding/redirect rule	Someone in your organisation creates an email forwarding or redirects inbox rules.	Data Protection Alert
Elevation of Exchange admin privilege	Someone in your organisation becomes an Exchange admin or gets new Exchange admin permissions.	Security Alert
Malware campaign detected and blocked	Unusual amount of malware attacks were detected and blocked by Microsoft 365.	Security Alert
Malware campaign detected after delivery	Microsoft 365 detected malware in email messages delivered to users in your organisation.	Security Alert
Malware campaign detected in SharePoint and OneDrive	This alert is triggered when the volume of malware/virus campaign detected in SharePoint and OneDrive in your organisation becomes unusual.	Security Alert
Mails have been delayed	When Microsoft 365 cannot deliver a message to your on-premises or partner servers via a connector, the message is queued in Microsoft 365.	Security Alert
Unusual external user file activity	This alert is triggered when the volume of external user file activities in your organisation becomes unusual.	Security Alert
Unusual external user file activity	This alert is triggered when the volume of external user file activities in your organisation becomes unusual.	Data Protection Alert
Unusual volume of file deletion	This alert is triggered when the volume of files deleted in your organisation becomes unusual.	Data Protection Alert
Multiple failed user logon attempts to an app	A single user attempts to log on to a single app and fails more than ten times within five minutes.	Security Alert
General anomaly detection	An anomalous session is detected in one of the sanctioned apps, such as impossible travel, logon pattern, inactive account.	Security Alert
Mass download by a single user	When a single user performs more than 50 downloads within one minute.	Data Protection Alert
Logon from a risky IP address	When a user logs on to your sanctioned apps from a risky IP address. By default, the risky IP address category contains addresses that have IP address tags of anonymous proxy, TOR or Botnet.	Security Alert
Administrative activity from a non-corporate IP address	When an admin user performs an administrative activity from an IP address that is not included in the corporate IP address range category.	Security Alert
Potential ransomware activity	When a user uploads files to the cloud that might be infected with ransomware.	Security Alert
File shared with personal email addresses	When a file is shared with a user's personal email address.	Data Protection Alert