Configure alert notifications in Microsoft Defender ATP
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the Applies To section and look for specific call outs in this article where there might be differences.
Want to experience Defender for Endpoint? Sign up for a free trial.
You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
Create rules for alert notifications
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
In the navigation pane, select Settings > Alert notifications.
Click Add notification rule.
Specify the General information:
Rule name - Specify a name for the notification rule.
Include organization name - Specify the customer name that appears on the email notification.
Include tenant-specific portal link - Adds a link with the tenant ID to allow access to a specific tenant.
Include device information - Includes the device name in the email alert body.
This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data.
Devices - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see Create and manage device groups.
Alert severity - Choose the alert severity level.
Enter the recipient's email address then click Add recipient. You can add multiple email addresses.
Check that email recipients are able to receive the email notifications by selecting Send test email.
Click Save notification rule.
Edit a notification rule
Select the notification rule you'd like to edit.
Update the General and Recipient tab information.
Click Save notification rule.
Delete notification rule
Select the notification rule you'd like to delete.
Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.
Problem: Intended recipients report they are not getting the notifications.
Solution: Make sure that the notifications are not blocked by email filters:
- Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
- Check that your email security product is not blocking the email notifications from Defender for Endpoint.
- Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.