Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How can I delete a "test" Audit Log Search Alert Policy?

Brass Contributor
Hi there, I've created a "test" Audit Log Search Alert Policy in the Security & Compliance portal for alerting me if there was any files deleted on our SharePoint. Now is there a way to delete this policy, cause apparently this alert is nowhere to be find? I've stopped the Audit Recording, but I still get those emails. In my alert overview the created alert isn't visible. Anyone got an idea? Thanks! Nicky
4 Replies
best response confirmed by Deleted
Solution

Depending on the licenses you have, the alert might end up in a "hidden" section of the portal. You can access it directly via: https://protection.office.com/#/managealerts

 

Or go to the SCC -> Alerts -> Dashboard -> click Activity Alerts under the Other alerts widget -> select and delete the alert.

Thanks! Now I can see and disable the created alerts, but deleting them gives me the following error: "We cannot force delete rule '' since it is not in pending deletion state. Details of the error are: Request: /api/ActivityAlert/Delete Status code: 500 Exception: Microsoft.Exchange.PswsClient.PswsException Diagnostic information: {Version:16.00.2051.000,Environment:WEUPROD,DeploymentId:7bf1c951f4354dd78116b92e983c3a03,InstanceId:WebRole_IN_0,SID:8a068312-c483-4ac4-b5d8-9b431de6f7ae,CID:8ae983b5-4a30-40c2-9593-a245b69c04d4} Time: 2017-11-29T18:50:34.0947527Z Anyone got an idea? Thanks!

Oh well, try PowerShell then. Get-ActivityAlert will show you the alerts, Remove-ActivityAlert will remove them. If you need help connecting to the SCC via PowerShell read here: https://technet.microsoft.com/en-us/library/mt587092(v=exchg.160).aspx

Hi @Vasil Michev, worked like a charm! Thanks, you're a hero! :D

1 best response

Accepted Solutions
best response confirmed by Deleted
Solution

Depending on the licenses you have, the alert might end up in a "hidden" section of the portal. You can access it directly via: https://protection.office.com/#/managealerts

 

Or go to the SCC -> Alerts -> Dashboard -> click Activity Alerts under the Other alerts widget -> select and delete the alert.

View solution in original post