Merge pull request #3277 from denisebmsft/docs-editor/alert-policies-1742941871

diannegali · web-flow · commit 831434afc212 · 2025-03-26T10:04:23.000Z
Update alert-policies.md
diff --git a/defender-xdr/alert-policies.md b/defender-xdr/alert-policies.md
@@ -1,5 +1,5 @@
 ---
-title: "Microsoft 365 alert policies"
+title: Alert policies in the Microsoft Defender portal
 f1.keywords:
 - NOCSH
 ms.author: diannegali
@@ -23,7 +23,7 @@ ms.custom:
 description: "Create alert policies in the Microsoft Defender portal to monitor potential threats."
 ---
 
-# Alert policies in Microsoft 365
+# Alert policies in the Microsoft Defender portal
 
 You can use alert policies and the alerts dashboard in the Microsoft Defender portal to create alert policies and then view the alerts that are generated when users perform activities that match the conditions of an alert policy. There are several default alert policies that help you monitor activities, such as assigning admin privileges in Exchange Online, malware attacks, phishing campaigns, and unusual levels of file deletions or external sharing.
 
@@ -96,7 +96,7 @@ You can also define user tags as a condition of an alert policy. This definition
 - **When the alert is triggered**. You can configure a setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions, when a certain threshold is exceeded, or when the occurrence of the activity the alert is tracking becomes unusual for your organization.
 
     ![Configure how alerts are triggered, based on when the activity occurs, a threshold, or unusual activity for your organization.](media/howalertsaretriggered.png)
-
+  
     If you select the setting based on unusual activity, Microsoft establishes a baseline value that defines the normal frequency for the selected activity. It takes up to seven days to establish this baseline, during which alerts aren't generated. After the baseline is established, an alert is triggered when the frequency of the activity tracked by the alert policy greatly exceeds the baseline value. For auditing-related activities (such as file and folder activities), you can establish a baseline based on a single user or based on all users in your organization; for malware-related activities, you can establish a baseline based on a single malware family, a single recipient, or all messages in your organization.
 
     > [!NOTE]
