Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

Occasional Contributor



In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts.


Is this something new from Microsoft as I cannot find any information on it?


Anyone able to help please?





3 Replies


We started getting these a few days ago.  Sure would be nice if Microsoft could explain what these are

@MikeP751860 We have the same across multiple clients.  

I can't find any documentation on this either, why did it happen and where can we tune this?

Hi Mike,

We too have started getting these. I have been searching pretty hard to find information about them. I just found this today and I also found a page that does talk about SmartAlerts, a bit and wanted to share it with the community.

You can find them talking about SmartAlerts in line item #3.

Hopefully this helps out. I know for me it did and I understand the system a bit more. However, you cannot tune these from my understanding... Nor have I found anywhere else that has talked about them.