Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MS Defender for O365 (MDO) - Default Alert Policies

Copper Contributor

Hello everyone - 


I'm totally new to MDO and been doing some labs. I want to implement a custom "A potentially malicious URL click was detected" & "A user clicked through to a potentially malicious URL​" to target only specific set of users (through group membership), but seems it's not possible. Is this correct, or there's other way to do it as I'm unable to find it through Alert Policy wizard?


Thank you.

3 Replies
You are correct, you cannot edit the users this policy applies to as it is a default policy. I'm struggling to think of a good reason to exclude users from this policy too because even the lowest privileged user can bring your org down by clicking on a malicious URL. It would be good to understand your thinking.
Thanks, Ash
Hello Ash - I want to have a separate alert policy as our organization has multiple different business divisions and we're all using one tenant. Since the default policy triggers an alert for everyone in the tenant, we're hoping a dedicated policy will trigger an alert only for our business division - not for the entire tenant.
Thanks for sharing your scenario akosijesyang. It's an interesting one. As far as I can see, your valid options are to disable the default policy and replace it with multiple granular policies, however I don't see the condition "activity is MaliciousUrlClick" as something you can add to a custom policy. The other options are to disable email notifications for the default alert policy so that the alert just appears as an alert within the console, or to change the recipients of the email notifications to something other than tenant admins. Not ideal, given your goal.
Thanks, Ash