Configure alert notifications in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.

Note

Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.

You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts triggered after they're added. For more information about alerts, see View and organize the Alerts queue.

If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.

The email notification includes basic information about the alert and a link to the portal where you can do further investigation.

Create rules for alert notifications

You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.

  1. In the navigation pane, select Settings > Email notifications.

  2. Click Add item.

  3. Specify the General information:

    • Rule name - Specify a name for the notification rule.

    • Include organization name - Specify the customer name that appears on the email notification.

    • Include tenant-specific portal link - Adds a link with the tenant ID to allow access to a specific tenant.

    • Include device information - Includes the device name in the email alert body.

      Note

      This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data.

    • Devices - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see Create and manage device groups.

    • Alert severity - Choose the alert severity level.

  4. Click Next.

  5. Enter the recipient's email address then click Add recipient. You can add multiple email addresses.

  6. Check that email recipients can receive the email notifications by selecting Send test email.

  7. Click Save notification rule.

Edit a notification rule

  1. Select the notification rule you'd like to edit.

  2. Update the General and Recipient tab information.

  3. Click Save notification rule.

Delete notification rule

  1. Select the notification rule you'd like to delete.

  2. Click Delete.

Troubleshoot email notifications for alerts

This section lists various issues that you may encounter when using email notifications for alerts.

Problem: Intended recipients report they're not getting the notifications.

Solution: Make sure that the notifications aren't blocked by email filters:

  1. Check that the Defender for Endpoint email notifications aren't sent to the Junk Email folder. Mark them as Not junk.
  2. Check that your email security product isn't blocking the email notifications from Defender for Endpoint.
  3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.