| title | description | ms.service | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | search.appverid | ms.date | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Get email notifications for response actions in Microsoft Defender XDR |
Set up email notifications to get notified of manual and automated response actions in Microsoft Defender XDR. |
defender-xdr |
|
diannegali |
diannegali |
medium |
deniseb |
ITPro |
|
conceptual |
|
07/08/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
[!INCLUDE Prerelease]
You can set up Microsoft Defender XDR to notify you through email about manual or automated response actions.
Manual response actions are actions that security teams can use to stop threats or aid in investigation of attacks. These actions vary depending on the Defender workload enabled in your environment.
Automated response actions, on the other hand, are capabilities in Microsoft Defender XDR that scale investigation and resolution to threats automatically. Automated remediation capabilities consist of automatic attack disruption and automated investigation and response.
Note
You need the Manage security settings permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. Likewise, if your organization is using role-based access control (RBAC), you can only create, edit, delete, and receive notifications based on device groups that you are allowed to manage.
Note
Microsoft recommends using roles with fewer permissions for better security. The Global Administrator role, which has many permissions, should only be used in emergencies when no other role fits.
Note
The response action email notification currently does not support custom detections containing response actions.
To create a rule for email notifications, perform the following steps:
- In the navigation pane of Microsoft Defender XDR, select Settings > Microsoft Defender XDR. Under General, select Email notifications. Go to the Actions tab. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig1-response-notifications.png" alt-text="Actions tab in the Microsoft Defender XDR Settings page" lightbox="/defender/media/m35d-response-actions-notifications/fig1-response-notifications.png":::
- Select Add notification rule. Add a rule name and description under Basics. Both Name and Description fields accept letters, numbers, and spaces only. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig2-response-notifications.png" alt-text="Basics section of the add notification rule" lightbox="/defender/media/m35d-response-actions-notifications/fig2-response-notifications.png":::
- Proceed to the next section by selecting Next located at the bottom of the pane.
- You can choose what type of action, what status, and where the action will be sourced from in the Notification settings section. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig3-response-notifications.png" alt-text="Notifications settings section of the add notification rule" lightbox="/defender/media/m35d-response-actions-notifications/fig3-response-notifications.png":::
- Under Action source, select if you want to be notified for manual or automated response actions. You can select both options.
- Select the specific response actions in the checklist that appears under Action. You can choose multiple actions available in the checklist. Note that response actions will vary depending on the Defender workload enabled in your environment. All actions selected appears in the Action field upon completion. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig4-response-notifications.png" alt-text="Highlighting the Actions field in the Notification settings section of the add notification rule" lightbox="/defender/media/m35d-response-actions-notifications/fig4-response-notifications.png":::
- You can choose to be notified based on the device groups where the response actions are applied in the Device groups scope. To be notified of response actions taken in all current and future device groups, selecting All device groups. To be notified of response actions taken in devices that belong to your selected device group, choose Selected device groups. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig5-response-notifications.png" alt-text="Highlighting the Device groups scope in the Notification settings section of the add notification rule" lightbox="/defender/media/m35d-response-actions-notifications/fig5-response-notifications.png":::
- Select if you want to be notified if an action is completed or failed in the Action status field. You can select all options available.
- At the bottom of the pane, you can proceed to the next section by selecting Next. Alternately, you can go back to the Basics section by selecting Back.
- In the Recipients section, you can add one or more email addresses that will receive notifications. Separate multiple addresses by adding a comma at the end of each address. Select Add to add the recipients. You can see the recipients at the bottom of the pane after successfully adding addresses. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig6-response-notifications.png" alt-text="Adding multiple addresses in the Recipients section of the add notification rule" lightbox="/defender/media/m35d-response-actions-notifications/fig6-response-notifications.png":::
- Test the notification by selecting Send test email. Select Next located on the bottom of the pane to proceed to the review section.
- Check the rule's details in the Review rule section. You can edit the details by selecting Edit under each section's details. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig7-response-notifications.png" alt-text="Highlighting the Edit option while in the Review rule section" lightbox="/defender/media/m35d-response-actions-notifications/fig7-response-notifications.png":::
- Select Submit at the bottom of the pane to finish the rule creation. Recipients will start receiving notifications through email based on the settings. The new rule appears in the Notifications rule list under the Actions tab.
- To edit or delete a notification rule, select the rule from the list. Select Edit to change the rule's details. Select Delete to remove the rule. :::image type="content" source="/defender/media/m35d-response-actions-notifications/fig8-response-notifications.png" alt-text="Highlighting the Edit and Delete options while in the rule list view" lightbox="/defender/media/m35d-response-actions-notifications/fig8-response-notifications.png":::
Once you get the notification, you can go directly to the action and review or remediate the action.
[!INCLUDE Microsoft Defender XDR rebranding]