Forum Discussion
Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I ...
Ok, got an update.
I had to close the first ticket because I wasn't getting anywhere.
Then I raised another one with Premium Support and after 10 days of no update been told they are gathering info and will update me. After few days the case has been closed without a word and the engineer and his superiors from signature never replied to my emails.
Then I had raised yet another Premier Support ticket with the same info, sample alert emails from test tenant and got contacted by an engineer that also hopped on a remote. He said they are aware of this and this problem is being investigated with a high priority. We have agreed to close it.
The engineer gave me 3 workarounds:
- create a custom policy as a copy of the default one that should have correct URL
- looks for alert in Compliance/Purview
- if the URL from the alert ID starts with "fa" eg. https://security.microsoft.com/alerts/fa1234512345 simply remove the "fa" like this:
https://security.microsoft.com/alerts/1234512345
this way the alert will open in Security Admin Center, yay
I had to close the first ticket because I wasn't getting anywhere.
Then I raised another one with Premium Support and after 10 days of no update been told they are gathering info and will update me. After few days the case has been closed without a word and the engineer and his superiors from signature never replied to my emails.
Then I had raised yet another Premier Support ticket with the same info, sample alert emails from test tenant and got contacted by an engineer that also hopped on a remote. He said they are aware of this and this problem is being investigated with a high priority. We have agreed to close it.
The engineer gave me 3 workarounds:
- create a custom policy as a copy of the default one that should have correct URL
- looks for alert in Compliance/Purview
- if the URL from the alert ID starts with "fa" eg. https://security.microsoft.com/alerts/fa1234512345 simply remove the "fa" like this:
https://security.microsoft.com/alerts/1234512345
this way the alert will open in Security Admin Center, yay
The problem we ran into with the "fa" fix, is that we cannot manage the alert, in other words, we cannot assign the alert to a team member, nor are we able to mark it as resolved.
We've given up with trying to manage these Purview alerts in Defender, and are now exclusively managing these alerts in Purview (https://compliance.microsoft.com/compliancealerts)
We've given up with trying to manage these Purview alerts in Defender, and are now exclusively managing these alerts in Purview (https://compliance.microsoft.com/compliancealerts)
- Ran into this for first time today (5/30/24). Glad I came across this thread.
