Configuring Alert Rules
Configuring Alert Rules
This page covers advanced alert routing controls.
Watcher default: Email alerts are active for T-24, T-12, and T-4. Advanced routing controls are shown only when Defender routing is enabled.
Where to Configure
Open Settings and look for the Alert Routing and Quiet Hours sections (Defender only).
Per-Alert Routing (Defender)
Each alert type has separate routing controls:
- T-24: 24-hour early warning
- T-12: 12-hour escalation warning
- T-4: 4-hour critical warning
For each alert type, Defender routing can control:
- Email channel toggle
- Slack channel toggle
- Slack destination channel (workspace-level)
Quiet Hours (Defender)
Quiet hours are configured as hour ranges (0-23, for example 22 to 7).
- Configured for non-critical windows (T-24 and T-12)
- T-4 remains the critical path
- Quiet-hours controls are Defender routing features
Do not assume historical quiet-hours behavior from older docs. Use current Settings behavior as source of truth for your account.
Default Priorities
| Alert Type | Priority |
|---|---|
| T-24 | 1 |
| T-12 | 2 |
| T-4 | 3 (highest) |
Recommended Baseline
- Keep email active for all three alert stages.
- If using Defender Slack, route T-4 to a monitored channel.
- Review routing after any team or shift change.