DEMO: Configure an Alert Policy
Start course

By the time you finish this course, you should have a good understanding of the reporting and alerting options in Microsoft Defender for Office 365. We'll start off with a lesson on the reporting options in Defender for Office 365 where we'll quickly touch on the reports that are available, and we'll then work through a quick reporting demonstration. We'll run through alerting and you'll learn about alert policies. A guided demonstration will then show you how to create an alert policy.

Learning Objectives

  • Learn about reporting in Microsoft 365 Defender for Office 365
  • Learn how to view reports
  • Learn about alerts and alert policies in Defender
  • Configure an alert policy

Intended Audience

This quick-hitting course is intended for those who wish to learn about the reporting and alerting options in Microsoft Defender for Office 365.


To get the most out of this course, you should have a basic understanding of Office 365.


Hello and welcome back. What we're gonna do here in this brief demonstration is create an alert policy. Now on the screen here, you can see I'm logged in to the office 365 security and compliance dashboard and I'm logged in as a global admin.

Now from security and compliance to create an alert policy, we simply select the dropdown for alerts here in the left navigation pane. And then from here, we can look at the dashboard for alerts, we can view alerts, we can manage alert policies and then we can manage advanced alerts. And I talked about these options in the previous lesson. What we're gonna do here is go into alerts policies, and what we'll do is create a new alert policy.

Now, what we could do is select an existing policy here and then edit the policy. But what we're gonna do in this demonstration is create a new policy. So we'll go ahead and click new alerts policy and I'll just call this my policy here. Now the description here is optional, but we do need to specify severity and category.

If we select the dropdown here for severity, we have three choices. We can look for high severity instances, medium instances, or low. What we'll do is select high for this demonstration. And then in the category box, we can specify the type of a threat that we're looking for.

So for this instance here, we'll select threat management. And then what we'll do is we'll click next. And then what we need to do in the alert settings page is tell the alert what activity do we want to alert on. So we'll go ahead and select the drop down here, and we can see, we have some common user activities. Fishing, user submitted email, malware and we can scroll down and see all kinds of information, all kinds of activity we can alert on. What we'll do here is just select detected malware and file. So basically what this alert will do is let us know when office 365 detects malware in either a SharePoint or OneDrive file.

Now in this add a condition dropdown here we can specify a couple of different conditions. We can limit our alerting to a specific IP address or to a specific user. We can also limit the alerting of this detected malware to specific file names or site collection URLs or even to specific file extensions. We're not gonna do any limits here, so we'll leave the conditions empty. So essentially this means it's just gonna look for any files that have detected malware in them.

We only have one option here regarding how we want the alert to be triggered. And in this case it's every time an activity matches the rule we're creating. So anytime it finds detected malware in either a SharePoint or a OneDrive file, it's gonna trigger the alert. So we'll go ahead and next it. And then here we can decide if we want to notify people when the alert gets triggered. By default it's gonna notify the admin account, so we'll leave that default here.

Now this daily notification limit allows you to limit the number of alerts you receive. The default here is no limit because typically you'd want to know any time the alert is triggered because there's some kind of malware detected. So we'll leave this at its default of no limit but you notice we can go up to 200 or as few as one. So I'll leave that selected at no limit. We'll next it. And then what we can do here is review our settings. And then what we can do down the bottom here is we can either finish creating the alert policy and then turn it on right away, or we can finish creating the policy but keep it off until we wanna turn it on later. The default here is to turn it on right away 'cause that's typically what you would do. So we'll go ahead and accept the default here and we'll go ahead and finish.

And there you have it. We now have a new alert policy that targets high severity events in the threat management category.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.