Description

Microsoft Defender includes several prebuilt alert policies, many of which pertain to Exchange Online. These alerts give admins better real-time insight into possible security incidents.

Policy

At a minimum, the following alerts SHALL be enabled:

• Suspicious email sending patterns detected.

• Suspicious connector activity

• Suspicious email forwarding activity.

• Unusual increase in email reported as phish.

• Messages have been delayed.

• Tenant restricted from sending unprovisioned email.

• Tenant restricted from sending email.

• Malware campaign detected after delivery.

• A potentially malicious URL click was detected.

The alerts SHOULD be sent to a monitored address or incorporated into a security incident and event management (SIEM) tool.

Licensing Considerations

This setting requires Defender for Office 365 Plan 1 or Plan 2 which can be purchased standalone or as part of the following bundles:

• Defender for Office 365 Plan 1/2

• Microsoft 365 Business Premium

• Office 365 E5/A5/G5

• Microsoft 365 E5/A5/G5

• Microsoft 365 E5/A5/G5 Information Protection and Governance

• Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

Set Up Instructions

Microsoft 365 alert policies - Microsoft Purview (compliance) | Microsoft Learn

1. Sign in to Microsoft 365 Defender.

2. Under Email & collaboration, select Policies & rules.

3. Select Alert Policy.

4. Click the policy name.

5. Ensure Status is set to On.

6. Ensure Email recipients includes at least one monitored address

End-User Impact

There is no end-user impact for this setting

PowerShell Scripts

New-ProtectionAlert (ExchangePowerShell) | Microsoft Learn

Videos