Forum Discussion

Anthony-123's avatar
Anthony-123
Iron Contributor
Nov 14, 2023

Unable to find the security alert in M365 Defender referenced in an email alert.

This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I ...
microsoft 365 defender
security
ArkadiuszOpoczko's avatar
ArkadiuszOpoczko
Brass Contributor
Feb 02, 2024

Anthony-123 

I have noticed the very same issue on several tenants. This is still present as of February 2024.

Same pattern here:
- alert is received with a URL "https://security.microsoft.com/alerts/unique_alert_ID_here"
- when followed opens up Security Admin Center and shows an error "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string." not being able to locate the alert
- when I substitute security to compliance in the URL like this "https://compliance.microsoft.com/alerts/unique_alert_ID_here" it goes straight away to the details of the alert in question in the right - Compliance - Admin Center

 

I have raised a ticket with Microsoft but I'm getting nowhere.
I'm being asked to open up the alert again and records logs with Fiddler and Steps Recorder and provide sample alerts on and on, which I did once a week ago.

Now I'm being asked to do the same again. It seems that the engineer completely disregards the nature of the issue, symptoms and doesn't want to acknowledge that this is 100% a fault at the core of the internal template at the time of alert creation, not related to tenant, browser, user, whatever.
Seems like they haven't updated it after Security & Compliance ACs were separated into two.
It feels like I'm talking to a robot.

 

Hope we can get this resolved eventually.

 

ArkadiuszOpoczko's avatar
ArkadiuszOpoczko
Brass Contributor
Mar 25, 2024
Ok, got an update.

I had to close the first ticket because I wasn't getting anywhere.
Then I raised another one with Premium Support and after 10 days of no update been told they are gathering info and will update me. After few days the case has been closed without a word and the engineer and his superiors from signature never replied to my emails.

Then I had raised yet another Premier Support ticket with the same info, sample alert emails from test tenant and got contacted by an engineer that also hopped on a remote. He said they are aware of this and this problem is being investigated with a high priority. We have agreed to close it.

The engineer gave me 3 workarounds:
- create a custom policy as a copy of the default one that should have correct URL
- looks for alert in Compliance/Purview
- if the URL from the alert ID starts with "fa" eg. https://security.microsoft.com/alerts/fa1234512345 simply remove the "fa" like this:
https://security.microsoft.com/alerts/1234512345
this way the alert will open in Security Admin Center, yay

Resources