Skip to Content

MC447684: Retirement of Legacy Microsoft Defender Online Alerts

Based on customer feedback and tendency to surface false positives in investigations, Microsoft 365 Defender is retiring a number of default alert policies. These legacy alerts are past their intended usage.

MC447684: Retirement of Legacy Microsoft Defender Online Alerts

When this will happen

We plan to retire these alert policies by mid-November.

How this affects your organization

The following default alert policies will be retired:

  • Malware campaign detected after delivery
  • Malware campaign detected in SharePoint and OneDrive
  • Unusual increase in email reported as phish
  • Malware Campaign detected and blocked
  • Users targeted by malware campaigns
  • Users targeted by phish campaigns
  • Unusual volume of file deletion
  • Unusual External User File Activity
  • Unusual volume of external file sharing

As part of the retirement, the following changes will happen:

These policies will no longer be available in ‘Default Alert policies’ in the Microsoft 365 Defender portal or the Microsoft 365 Purview compliance portal.

Existing alerts that have already been generated from these alert policies will be in the system (as part of Alerts) until data retention policies (Refer: Data retention information for Microsoft Defender for Office 365) are applied and the alerts expire.

What you should do to prepare

Review your existing policies to see if you are utilizing any of the default policies outlined above.

As a work around, customers can recreate these retired alert policies as custom alert policies to continue generating these alerts.

Note that there are a couple of ways that you can replace these alerts:

  1. If you want a literal replacement of what is being retired, use Anomaly or Threshold to build the custom alert.
  2. If you want specific users, groups, activities to fire with entity information, we suggest creating scoped single event alerts.

Message ID: MC447684
Published: 2022-10-19
Updated: 2022-10-19
Platform: Online, World tenant

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.