> For the complete documentation index, see [llms.txt](https://docs.tminus365.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tminus365.com/security/exchange/alerts-shall-be-enabled.md).

# Alerts SHALL Be Enabled

## Description

Microsoft Defender includes several prebuilt alert policies, many of which pertain to Exchange Online. These alerts give admins better real-time insight into possible security incidents.

## Policy

At a minimum, the following alerts SHALL be enabled:

* Suspicious email sending patterns detected.
* Suspicious connector activity
* Suspicious email forwarding activity.
* Unusual increase in email reported as phish.
* Messages have been delayed.
* Tenant restricted from sending unprovisioned email.
* Tenant restricted from sending email.
* Malware campaign detected after delivery.
* A potentially malicious URL click was detected.

The alerts SHOULD be sent to a monitored address or incorporated into a security incident and event management (SIEM) tool.

## Licensing Considerations

This setting requires Defender for Office 365 Plan 1 or Plan 2 which can be purchased standalone or as part of the following bundles:

* Defender for Office 365 Plan 1/2
* Microsoft 365 Business Premium
* Office 365 E5/A5/G5
* Microsoft 365 E5/A5/G5
* Microsoft 365 E5/A5/G5 Information Protection and Governance
* Microsoft 365 E5/A5/G5/F5 Compliance and F5 Security & Compliance

## Set Up Instructions

[Microsoft 365 alert policies - Microsoft Purview (compliance) | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide)

1. Sign in to Microsoft 365 Defender.
2. Under Email & collaboration, select Policies & rules.
3. Select Alert Policy.
4. Click the policy name.
5. Ensure Status is set to On.
6. Ensure Email recipients includes at least one monitored address

## End-User Impact

{% hint style="info" %}
Level: <mark style="color:green;">None</mark>
{% endhint %}

There is no end-user impact for this setting

{% hint style="info" %}
Tips

None Currently
{% endhint %}

## PowerShell Scripts

[New-ProtectionAlert (ExchangePowerShell) | Microsoft Learn](https://learn.microsoft.com/en-us/powershell/module/exchange/new-protectionalert?view=exchange-ps)

## Videos

{% embed url="<https://www.youtube.com/watch?v=fuxPRQGGX7k>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.tminus365.com/security/exchange/alerts-shall-be-enabled.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.