cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MS Defender for O365 (MDO) - Default Alert Policies

akosijesyang
Copper Contributor

‎Jun 21 2022 07:28 PM

‎Jun 21 2022 07:28 PM

MS Defender for O365 (MDO) - Default Alert Policies

Hello everyone - 

 

I'm totally new to MDO and been doing some labs. I want to implement a custom "A potentially malicious URL click was detected" & "A user clicked through to a potentially malicious URL​" to target only specific set of users (through group membership), but seems it's not possible. Is this correct, or there's other way to do it as I'm unable to find it through Alert Policy wizard?

 

Thank you.

1,366 Views
0 Likes
3 Replies
Reply
3 Replies
Ash_Gardiner

‎Jun 21 2022 08:04 PM

‎Jun 21 2022 08:04 PM

Re: MS Defender for O365 (MDO) - Default Alert Policies

Hi,
You are correct, you cannot edit the users this policy applies to as it is a default policy. I'm struggling to think of a good reason to exclude users from this policy too because even the lowest privileged user can bring your org down by clicking on a malicious URL. It would be good to understand your thinking.
Thanks, Ash
0 Likes
Reply
akosijesyang

‎Jun 21 2022 11:42 PM

‎Jun 21 2022 11:42 PM

Re: MS Defender for O365 (MDO) - Default Alert Policies

Hello Ash - I want to have a separate alert policy as our organization has multiple different business divisions and we're all using one tenant. Since the default policy triggers an alert for everyone in the tenant, we're hoping a dedicated policy will trigger an alert only for our business division - not for the entire tenant.
0 Likes
Reply
Ash_Gardiner

‎Jun 22 2022 12:46 AM

‎Jun 22 2022 12:46 AM

Re: MS Defender for O365 (MDO) - Default Alert Policies

Thanks for sharing your scenario akosijesyang. It's an interesting one. As far as I can see, your valid options are to disable the default policy and replace it with multiple granular policies, however I don't see the condition "activity is MaliciousUrlClick" as something you can add to a custom policy. The other options are to disable email notifications for the default alert policy so that the alert just appears as an alert within the console, or to change the recipients of the email notifications to something other than tenant admins. Not ideal, given your goal.
Thanks, Ash
0 Likes
Reply