Forum Discussion
Unable to find the security alert in M365 Defender referenced in an email alert.
This happens a lot. I get these emails from Office365Alerts notifying our team that "A medium-severity alert has been triggered". At the bottom of the email is a link to "View alert details". When I click that, the site shows an error: "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string."
So, then I go to the Alerts view and filter to show everything (at least I think I am) but there's nothing related to this particular alert (unusual volume of file sharing). Where did it go?
EDIT: Including a screenshot of another email I got today. The result of clicking the 'View alert details' is again the same.
- Still an issue 06/09/2024!
removing "fa" from the UUID worked for me..Brilliant! Worked for me. But why MSFT?
EDIT: As suspected, this was due to an issue in the service, miscatorgorizing the action. In yesterday's case it was a google link click identified as malicous. Advisory: EX892568
- Still seeing it May 2024
- We have the same issue for "MailRedirect. This alert is triggered whenever someone gets access to read your user's email" type alerts.
The workaround ArkadiuszOpoczko mentions, by removing "fa" from the alert id works. I have noticed the very same issue on several tenants. This is still present as of February 2024.
Same pattern here:
- alert is received with a URL "https://security.microsoft.com/alerts/unique_alert_ID_here"
- when followed opens up Security Admin Center and shows an error "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string." not being able to locate the alert
- when I substitute security to compliance in the URL like this "https://compliance.microsoft.com/alerts/unique_alert_ID_here" it goes straight away to the details of the alert in question in the right - Compliance - Admin CenterI have raised a ticket with Microsoft but I'm getting nowhere.
I'm being asked to open up the alert again and records logs with Fiddler and Steps Recorder and provide sample alerts on and on, which I did once a week ago.
Now I'm being asked to do the same again. It seems that the engineer completely disregards the nature of the issue, symptoms and doesn't want to acknowledge that this is 100% a fault at the core of the internal template at the time of alert creation, not related to tenant, browser, user, whatever.
Seems like they haven't updated it after Security & Compliance ACs were separated into two.
It feels like I'm talking to a robot.Hope we can get this resolved eventually.
- Ok, got an update.
I had to close the first ticket because I wasn't getting anywhere.
Then I raised another one with Premium Support and after 10 days of no update been told they are gathering info and will update me. After few days the case has been closed without a word and the engineer and his superiors from signature never replied to my emails.
Then I had raised yet another Premier Support ticket with the same info, sample alert emails from test tenant and got contacted by an engineer that also hopped on a remote. He said they are aware of this and this problem is being investigated with a high priority. We have agreed to close it.
The engineer gave me 3 workarounds:
- create a custom policy as a copy of the default one that should have correct URL
- looks for alert in Compliance/Purview
- if the URL from the alert ID starts with "fa" eg. https://security.microsoft.com/alerts/fa1234512345 simply remove the "fa" like this:
https://security.microsoft.com/alerts/1234512345
this way the alert will open in Security Admin Center, yay- The problem we ran into with the "fa" fix, is that we cannot manage the alert, in other words, we cannot assign the alert to a team member, nor are we able to mark it as resolved.
We've given up with trying to manage these Purview alerts in Defender, and are now exclusively managing these alerts in Purview (https://compliance.microsoft.com/compliancealerts)
- For what it's worth, I'm also seeing this problem as of March 2024. I'll try my luck at opening a ticket...
Yes, as of 3/24/24 this bug still exists.
Robert
It's in my original post - "Can't find it. Either what you are looking for doesn't exist or you need to use a different search string."
- Hi, I hope you found the correct location of these alerts.
Today I had the same problem. For some reason, the link that Microsoft sends is not correct. I suppose that they will solve in the future. This is the right location:
https://compliance.microsoft.com/compliancealerts
Regards
Hi Anthony-123,
are you opening this link in a browser logged-in as an Administrator or normal user?
Try to click on the "View alert details" with the right mouse button, then click on the "Copy hyperlink" and paste it in a browser where you are allready logged-in as an Administrator or paste it in a Private Mode browser and log-in with you Admin user.Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- I'm logged in as myself, the admin.
I can use the filter to find other alerts. Is there some way to see if these particular alerts aren't visible to me?Hi Anthony-123,
just to eliminate all, can you try to reset the filter completely and try to see if you can find this alert in the list of all alerts.You can use "CTRL" + "F" and try to search for Unusual volume of file sharing
If you canĀ“t find it, are you a Global Administrator, what kind of Admin is your user? Do you have a Global Admin user to test it (open this) alert?Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
