Set-ActivityAlert
This cmdlet is available only in Security & Compliance PowerShell. For more information, see Security & Compliance PowerShell.
Note: Activity alerts have been effectively replaced by alert policies and the corresponding *-ProtectionAlert cmdlets. For more information about alert policies, see Alert policies in Microsoft 365.
Use the Set-ActivityAlert cmdlet to modify activity alerts.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Set-ActivityAlert
[-Identity] <ComplianceRuleIdParameter>
[-Category <AlertRuleCategory>]
[-Condition <String>]
[-Confirm]
[-Description <String>]
[-Disabled <Boolean>]
[-EmailCulture <CultureInfo>]
[-Multiplier <Double>]
[-NotifyUser <MultiValuedProperty>]
[-Operation <MultiValuedProperty>]
[-RecordType <AuditRecordType>]
[-ScopeLevel <AlertScopeLevel>]
[-Severity <RuleSeverity>]
[-Threshold <Int32>]
[-TimeWindow <Int32>]
[-UserId <MultiValuedProperty>]
[-WhatIf]
[<CommonParameters>] Description
To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Defender portal or Permissions in the Microsoft Purview compliance portal.
Examples
Example 1
$NU = Get-ActivityAlert "Contoso Elevation of Privilege"
$NU.NotifyUser.Add("chris@fabrikam.com")
Set-ActivityAlert "Contoso Elevation of Privilege" -NotifyUser $NU.NotifyUserThis example adds the external user chris@fabrikam.com to the list of recipients that email notifications are sent to for the activity alert named Contoso Elevation of Privilege.
Note: To remove an existing email address from the list of recipients, change the value NotifyUser.Add to NotifyUser.Remove.
Example 2
Set-ActivityAlert -Identity "External Sharing Alert" -Disabled $trueThis example disables the existing activity alert named External Sharing Alert.
Parameters
-Category
The Category parameter specifies a category for the activity alert. Valid values are:
- None (This is the default value)
- DataLossPrevention
- ThreatManagement
- DataGovernance
- AccessGovernance
- Others
| Type: | AlertRuleCategory |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Condition
The Condition parameter specifies filter conditions for event aggregation.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Confirm
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
- Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax:
-Confirm:$false. - Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Description
The Description parameter specifies an optional description for the activity alert. If the value contains spaces, enclose the value in quotation marks (").
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Disabled
The Disabled parameter specifies whether the activity alert is enabled or disabled. Valid values are:
- $true: The activity alert is disabled.
- $false: The activity alert is enabled. This is the default value.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-EmailCulture
The EmailCulture parameter specifies the language of the notification email message.
Valid input for this parameter is a supported culture code value from the Microsoft .NET Framework CultureInfo class. For example, da-DK for Danish or ja-JP for Japanese. For more information, see CultureInfo Class.
| Type: | CultureInfo |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Identity
The Identity parameter specifies the activity alert that you want to modify. You can use any value that uniquely identifies the activity alert. For example:
- Name
- Distinguished name (DN)
- GUID
| Type: | ComplianceRuleIdParameter |
| Position: | 1 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Multiplier
The Multiplier parameter specifies the number of events that trigger an activity alert. The value of this parameter indicates a multiplier from a baseline value.
You can only use this parameter on activity alerts that have the Type property value AnomalousAggregation.
| Type: | Double |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-NotifyUser
The NotifyUser parameter specifies the email address of the recipients who will receive the notification emails. You can specify internal and external email addresses.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
To modify the existing list of recipients, see the Examples section.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Operation
The Operation parameter specifies the activities that trigger activity alerts.
A valid value for this parameter is an activity that's available in the Microsoft 365 audit log. For a description of these activities, see Audited activities.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
For the syntax that you use to modify an existing list of Operations values, see the Examples section.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-RecordType
The RecordType parameter specifies a record type label for the activity alert. For details about the available values, see AuditLogRecordType.
You can't use this parameter when the value of the Type parameter is ElevationOfPrivilege.
| Type: | AuditRecordType |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-ScopeLevel
The ScopeLevel parameter specifies the scope for activity alerts that use the Type parameter values SimpleAggregation or AnomalousAggregation. Valid values are:
- SingleUser (This is the default value)
- AllUsers
| Type: | AlertScopeLevel |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Severity
The Severity parameter specifies a severity level for the activity alert. Valid values are:
- None
- Low (This is the default value)
- Medium
- High
| Type: | RuleSeverity |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-Threshold
The Threshold parameter specifies the number of events that trigger an activity alert in the time interval that's specified by the TimeWindow parameter. The minimum value for this parameter is 3.
You can only use this parameter on activity alerts that have the Type property value SimpleAggregation.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-TimeWindow
The TimeWindow parameter specifies the time window in minutes that's used by the Threshold parameter.
You can only use this parameter on activity alerts that have the Type property value SimpleAggregation.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-UserId
The UserId parameter specifies who you want to monitor.
- If you specify a user's email address, you'll receive an email notification when the user performs the specified activity. You can specify multiple email addresses separated by commas.
- If this parameter is blank ($null), you'll receive an email notification when any user in your organization performs the specified activity.
You can enter multiple values separated by commas. If the values contain spaces or otherwise require quotation marks, use the following syntax: "Value1","Value2",..."ValueN".
You can only use this parameter on activity alerts that have the Type property values Custom or ElevationOfPrivilege.
For the syntax that you use to modify an existing list of UserId values, see the Examples section.
| Type: | MultiValuedProperty |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |
-WhatIf
The WhatIf switch doesn't work in Security & Compliance PowerShell.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance |