Based on customer feedback and tendency to surface false positives in investigations, Microsoft 365 Defender is retiring a number of default alert policies. These legacy alerts are past their intended usage.
When this will happen
We plan to retire these alert policies by mid-November.
How this affects your organization
The following default alert policies will be retired:
- Malware campaign detected after delivery
- Malware campaign detected in SharePoint and OneDrive
- Unusual increase in email reported as phish
- Malware Campaign detected and blocked
- Users targeted by malware campaigns
- Users targeted by phish campaigns
- Unusual volume of file deletion
- Unusual External User File Activity
- Unusual volume of external file sharing
As part of the retirement, the following changes will happen:
These policies will no longer be available in ‘Default Alert policies’ in the Microsoft 365 Defender portal or the Microsoft 365 Purview compliance portal.
Existing alerts that have already been generated from these alert policies will be in the system (as part of Alerts) until data retention policies (Refer: Data retention information for Microsoft Defender for Office 365) are applied and the alerts expire.
What you should do to prepare
Review your existing policies to see if you are utilizing any of the default policies outlined above.
As a work around, customers can recreate these retired alert policies as custom alert policies to continue generating these alerts.
Note that there are a couple of ways that you can replace these alerts:
- If you want a literal replacement of what is being retired, use Anomaly or Threshold to build the custom alert.
- If you want specific users, groups, activities to fire with entity information, we suggest creating scoped single event alerts.
Message ID: MC447684
Published: 2022-10-19
Updated: 2022-10-19
Platform: Online, World tenant
