Alerts SHALL Be Enabled

Description

Microsoft Defender includes several prebuilt alert policies, many of which pertain to Exchange Online. These alerts give admins better real-time insight into possible security incidents.

Policy

At a minimum, the following alerts SHALL be enabled:

Suspicious email sending patterns detected.
Suspicious connector activity
Suspicious email forwarding activity.
Unusual increase in email reported as phish.
Messages have been delayed.
Tenant restricted from sending unprovisioned email.
Tenant restricted from sending email.
Malware campaign detected after delivery.
A potentially malicious URL click was detected.

The alerts SHOULD be sent to a monitored address or incorporated into a security incident and event management (SIEM) tool.

Licensing Considerations

This setting requires Defender for Office 365 Plan 1 or Plan 2 which can be purchased standalone or as part of the following bundles:

Defender for Office 365 Plan 1/2
Microsoft 365 Business Premium
Office 365 E5/A5/G5
Microsoft 365 E5/A5/G5
Microsoft 365 E5/A5/G5 Information Protection and Governance
Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

Set Up Instructions

Microsoft 365 alert policies - Microsoft Purview (compliance) | Microsoft Learn

Sign in to Microsoft 365 Defender.
Under Email & collaboration, select Policies & rules.
Select Alert Policy.
Click the policy name.
Ensure Status is set to On.
Ensure Email recipients includes at least one monitored address

End-User Impact

Level: None

There is no end-user impact for this setting

Tips

None Currently

PowerShell Scripts

New-ProtectionAlert (ExchangePowerShell) | Microsoft Learn

Videos

PreviousMailbox Auditing SHALL Be Enabled NextAudit Logging SHALL Be Enabled

Last updated 1 year ago