Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Protection Alert Notifications [CHK-1420]

This check verifies that in-scope system Protection Alert rules in Microsoft 365 are forwarding notifications to the configured email addresses. Coverage can be achieved either directly on the system rule itself or via custom [ATTIC] copies created by Attic.

Microsoft 365 includes built-in Protection Alert rules that detect suspicious activities and security threats across the tenant. These rules generate alerts for events such as malware detections, phishing campaigns, and unusual admin activities. By default, these alerts are only sent to global admin accounts, which may not be monitored consistently.

Rationale

Security alerts are time-sensitive. When a Protection Alert fires — for example, detecting a phishing campaign or malware delivery — the response team needs to be notified immediately. If alerts only go to global admin mailboxes that are not actively monitored, critical security events can go unnoticed for hours or even days.

Microsoft does not allow modifying the notification recipients on built-in system Protection Alert rules. This is a significant limitation for organizations that rely on a dedicated security mailbox or a shared SOC inbox to triage alerts. To work around this, Attic creates custom copies of the relevant system rules (prefixed with [ATTIC]) that forward notifications to the configured email addresses.

The check evaluates coverage based on a configurable severity threshold. By default, only High severity rules are in scope, but this can be extended to include Medium and Low severity rules. Rules that use internal Microsoft alert pipelines (non-Activity ThreatType) are excluded because they cannot be replicated as custom Protection Alerts.

Fix

An automated fix is available through Attic.

When applied, the fix creates or updates [ATTIC] copies of uncovered system Protection Alert rules with the configured notification recipients. If a copy already exists but is missing some of the required email addresses, the fix adds the missing addresses.

Manual steps:

  1. Open the Microsoft Purview compliance portal and navigate to Policies > Alert policy
  2. Identify the system alert rule that needs coverage
  3. Create a new custom alert policy with the same Operation and Severity as the system rule
  4. Name it [ATTIC] <original rule name> to maintain consistency
  5. Set the notification recipients to the required email addresses
  6. Enable the alert policy

Impact

When the check passes, all in-scope system Protection Alert rules are forwarding notifications to the required email addresses, either directly or through [ATTIC] copies.

When the check fails, one or more system rules are not covered. This means security alerts from those rules may only reach global admin accounts and could be missed. Applying the fix creates the necessary [ATTIC] copies to ensure full coverage.

The fix does not modify or disable any existing system rules. It only creates additional custom alert policies that mirror the detection logic and forward notifications to the configured mailboxes.

More Information