Timely notification of security alerts is critical for effective incident response. Microsoft Defender for Endpoint provides flexible notification options including email alerts, SIEM integration, and Microsoft Teams notifications. This guide covers configuring all notification methods to ensure your security team never misses a critical alert.
Prerequisites
Before configuring notifications, ensure you have:
- Microsoft Defender portal access with Security Administrator role
- Email addresses for notification recipients
- Device groups configured (for targeted notifications)
- SIEM access (if configuring SIEM integration)
- Microsoft Teams (optional, for Teams notifications)
Step 1: Access Notification Settings
- Sign in to the Microsoft Defender portal
- Navigate to Settings > Endpoints > Email notifications
- You'll see existing notification rules and options to create new ones
Step 2: Configure Email Notification Rules
Create a New Notification Rule
-
Click Add notification rule
-
Configure the General settings:
- Rule name: Descriptive name (e.g., "Critical Alerts - SOC Team")
- Include organization name: Check to add your org name to email subject
- Include device information: Check to include device details in alerts
-
Configure Notification settings:
- Email recipients: Add email addresses (separate with semicolons)
- Alert severity: Select which severities trigger notifications
-
Configure Device group scope:
- All devices: Receive alerts from all onboarded devices
- Selected device groups: Choose specific groups
-
Click Save
Recommended Notification Rules
Create separate rules for different scenarios:
| Rule Name | Severity | Recipients | Device Groups |
|---|---|---|---|
| Critical Alerts - SOC | High | [email protected] | All devices |
| Server Alerts | High, Medium | [email protected] | Servers |
| Executive Devices | High, Medium, Low | [email protected] | Executive Laptops |
| All Alerts - Archive | All | [email protected] | All devices |
Configure Rule Priority
If a device belongs to multiple groups, notifications follow the first matching rule. Organize rules from most specific to most general:
- VIP/Executive devices (highest priority)
- Critical infrastructure servers
- Specific department devices
- General workstation alerts (lowest priority)
Step 3: Configure SIEM Integration
Enable SIEM API Access
- In the Defender portal, go to Settings > Endpoints > APIs > SIEM
- Click Enable SIEM connector
- Note your Application URI and Client ID
- Generate a new Client Secret and save it securely
Supported SIEM Platforms
| SIEM | Integration Method | Documentation |
|---|---|---|
| Microsoft Sentinel | Native connector | Built-in data connector |
| Splunk | Splunk Add-on | Microsoft Defender Add-on for Splunk |
| IBM QRadar | DSM | Microsoft Defender for Endpoint DSM |
| ArcSight | SmartConnector | Micro Focus connector |
| Generic | REST API | Pull alerts via API |
Configure Microsoft Sentinel Integration
- In Azure Portal, open your Sentinel workspace
- Go to Data connectors
- Search for Microsoft Defender for Endpoint
- Click Open connector page
- Click Connect to enable the connector
- Alerts will flow automatically within minutes
Configure API-Based SIEM Integration
For SIEMs using the REST API:
API Endpoint:
https://api.securitycenter.microsoft.com/api/alerts
Authentication:
# Get access token
curl -X POST "https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token" \
-d "client_id={client_id}" \
-d "client_secret={client_secret}" \
-d "scope=https://api.securitycenter.microsoft.com/.default" \
-d "grant_type=client_credentials"
Fetch Alerts:
curl -X GET "https://api.securitycenter.microsoft.com/api/alerts" \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/json"
Configure Event Hub Streaming
For real-time streaming to SIEM:
- Go to Settings > Endpoints > APIs > Streaming API
- Click Add to create a streaming rule
- Configure:
- Name: Descriptive name
- Event Hub namespace: Select or create
- Event Hub name: Create dedicated hub
- Event types: Select alerts, advanced hunting events, etc.
- Click Submit
Step 4: Configure Microsoft Teams Notifications
Using Power Automate (Recommended)
- Go to Power Automate
- Create a new Automated cloud flow
- Search for Microsoft Defender for Endpoint connector
- Select trigger: When an alert is created
- Add action: Post message in a chat or channel (Microsoft Teams)
- Configure the Teams message:
- Team: Select your security team
- Channel: Select alerts channel
- Message: Use dynamic content to include alert details
Sample Flow Configuration:
Trigger: When an alert is created
↓
Condition: Alert severity equals "High" or "Medium"
↓
Action: Post to Teams
- Channel: #security-alerts
- Message:
🚨 **Defender Alert**
**Title:** @{triggerOutputs()?['body/Title']}
**Severity:** @{triggerOutputs()?['body/Severity']}
**Device:** @{triggerOutputs()?['body/MachineId']}
**Description:** @{triggerOutputs()?['body/Description']}
[View Alert](@{triggerOutputs()?['body/AlertLink']})
Using Logic Apps
For more complex workflows:
- Create a new Logic App in Azure Portal
- Use the Microsoft Defender for Endpoint connector
- Build custom notification logic with conditions, approvals, etc.
- Route to Teams, email, ticketing systems, or custom webhooks
Step 5: Configure Alert Suppression Rules
Reduce noise by suppressing known benign alerts:
- Go to Settings > Endpoints > Alert suppression
- Click Add suppression rule
- Configure:
- Rule name: Descriptive name (e.g., "Suppress IT Admin Tool Alerts")
- Alert title: Match specific alert titles
- IOC indicators: Match specific file hashes, IPs, etc.
- Device groups: Limit suppression scope
- Expiration: Set end date for rule
- Click Save
Warning: Use suppression rules carefully. Over-suppressing can mask real threats. Review suppressed alerts regularly.
Step 6: Test Notification Configuration
Generate a Test Alert
Run the detection test to verify notifications:
Windows:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference='silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
Verify Notification Receipt
- Check email inbox within 15-20 minutes
- Check Teams channel if configured
- Verify SIEM received the alert
- Review alert in Defender portal to correlate
Troubleshoot Missing Notifications
If notifications aren't received:
- Check notification rule scope: Ensure device is in targeted group
- Verify email addresses: Check for typos
- Check spam folders: Defender emails may be filtered
- Review rule priority: Higher priority rules may be catching alerts
- Check suppression rules: Alert may be suppressed
- Verify SIEM connectivity: Check API credentials and network access
Best Practices
Notification Strategy
- Tiered approach: Route critical alerts to on-call staff, others to queues
- Avoid alert fatigue: Don't send all alerts via email; use dashboards for low-severity
- Include context: Configure notifications to include device details and alert descriptions
- Deduplicate: Use SIEM correlation to group related alerts
Email Notification Tips
- Use distribution lists rather than individual emails for easier management
- Create a dedicated security mailbox for alert archiving
- Consider on-call rotation integration for after-hours alerts
SIEM Integration Tips
- Configure appropriate polling intervals (5-15 minutes typical)
- Set up correlation rules to group related alerts
- Create dashboards for alert trends and metrics
- Implement automated playbooks for common alert types
Notification Rule Examples
Rule 1: Critical Infrastructure
Name: Critical Infrastructure - Immediate
Severity: High
Device Groups: Domain Controllers, Database Servers, Payment Systems
Recipients: [email protected], [email protected]
Include: Organization name, Device details
Rule 2: Endpoint Alerts
Name: Workstation Alerts - Standard
Severity: High, Medium
Device Groups: All Workstations
Recipients: [email protected]
Include: Organization name, Device details
Rule 3: Compliance Monitoring
Name: PCI Scope Devices
Severity: All
Device Groups: PCI-DSS Scope
Recipients: [email protected], [email protected]
Include: Organization name, Device details
Next Steps
After configuring notifications:
- Investigate security incidents effectively
- Run remote scans on devices
- Configure automated investigation and remediation for faster response
- Set up custom detection rules for organization-specific threats
Need help optimizing your security operations? Inventive HQ provides managed detection and response services built on Microsoft Defender for Endpoint. Contact us to improve your security posture.