Share via

Defender 365 alert policy exceptions/whitelist

Anonymous
2022-10-06T12:49:02+00:00

I'm new to our Defender 365 environment and am getting inundated with alerts/incidents for "Unusual external file activity." The file activity that happens is from one of our trusted outside vendors accessing our Sharepoint site, and I can't for the life of me figure out a way to whitelist them so they're not alerted on.

I tried recreating the policy and adding a condition "equals none of" and add the URLs which didn't work, as well as tried "equals none of" for the user accounts... nothing works. What am I missing?

Microsoft 365 and Office | Microsoft 365 Defender | Other | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-10-06T15:17:20+00:00

    Hello Koakd,

    Thanks for reaching out here regarding this query.

    The 365 Defender generates that alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files.

    Essentially, the alert will keep existing as long as the Defender doesn't recognize your outside vendor as one within your organization.

    For more details, check out:

    https://learn.microsoft.com/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide

    Sorry for the inconvenience caused.

    Warm regards, Albert

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2022-10-08T12:19:36+00:00

    Hi, Koakd. Thank you for your question and reaching out. My name is John and I’d be more than happy to help you with your query.

    I am so sorry about that. The error you got means that sends out a warning whenever people from outside your company do an unusually high number of operations on files stored in SharePoint or OneDrive. This comprises operations like file access, file download, and file deletion. For more information, please see https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

    Please don't hesitate to post back for further questions. Best regards, John

    Was this answer helpful?

    0 comments
  3. Anonymous
    2022-10-06T17:58:36+00:00

    Thanks Albert. To clarify what you're saying, I can't whitelist users, domains, or URLs from the Alert policy, I'll have to create custom detection rules to do this. Correct?

    Was this answer helpful?

    0 comments