Forum Discussion

Brass Contributor

Feb 28, 2025

Solved

Configuring 'Quarantine release request' alert via powershell?

I'm working on a big fat script to configure the Threat policies in compliance with Secure Score. I'd like to configure a quarantine policy allowing the user to request release (done), that emails th...

VasilMichev
Mar 04, 2025
You cannot modify built-in policies, as mentioned in the documentation:

Note: You can't use this cmdlet to edit default alert policies. You can only modify alerts that you created using the New-ProtectionAlert cmdlet.

The UI uses a different API to update policies ("policy overrides"), which is not exposed via any PowerShell cmdlet, afaik.

As for creating the alert, try specifying "-AggregationType None", as "advanced" aggregations are one of the conditions that require premium licensing.

VasilMichev

MVP

Mar 04, 2025

You cannot modify built-in policies, as mentioned in the documentation:

Note: You can't use this cmdlet to edit default alert policies. You can only modify alerts that you created using the New-ProtectionAlert cmdlet.

The UI uses a different API to update policies ("policy overrides"), which is not exposed via any PowerShell cmdlet, afaik.

As for creating the alert, try specifying "-AggregationType None", as "advanced" aggregations are one of the conditions that require premium licensing.

underQualifried

Brass Contributor

Mar 04, 2025

VasilMichevThank you, adding that param bypassed the licensing requirements!

I had to also specify Operation for it to go through, but I just checked the web end and it looks good.. Full command I used (for google's sake)

PS C:\WINDOWS\system32> New-ProtectionAlert -AggregationType None -Operation QuarantineRequestReleaseMessage -Category ThreatManagement -name someName -NotifyUser email address removed for privacy reasons -ThreatType Activity