Email notification when a automation investigation has started

Question

Hi all,

Is it possible for me as an admin to receive email notification if an automation investigation has taken place on a device / user?

Answer 1

Hi Aran Billen,

Thank you for reaching out to us on the Microsoft Q&A forum.

In addition to Carlos Solís Salazar,

it's possible to set up email notifications for automation investigations on devices or users, depending on the software or tools you're using for automation and investigation.

As an administrator, you have the ability to configure email notifications for tracking automation investigations within Microsoft Defender XDR. Here's a guide on how to do it:

1. Setting Up Email Notifications for Actions in Microsoft Defender XDR:
   • Microsoft Defender XDR now offers support for email notifications for both automated and manual actions. These notifications enhance alignment among stakeholders and provide real-time insight into remedial actions.
   • You can opt to receive email notifications for the following scenarios:
   • Automated Attack Intervention:
     • In the event of an automated action triggered by an ongoing attack you can establish a rule to inform relevant teams (IT, SOC, and helpdesk) via email.
     • This swift awareness enables teams to promptly investigate and address issues, ensuring affected users are swiftly back online.
   • Sensitive Actions on Critical Assets:
     • For critical assets like domain controllers (DCs), you have the option to create a rule that notifies you whenever a 'live response' session is either successfully established or fails.
     • This feature assists the SOC team in staying abreast of significant actions concerning vital assets.
2. Configuring Custom Automated Email Alerts in Other Systems:
   • In addition to Microsoft Defender XDR, various other systems offer the capability to configure customized automated email alerts. For instance, in Inductive Automation, you can configure alerts for specified alarms, thereby enhancing response times to system events.
   • Similarly, CrowdStrike's Workflows empower analysts with prioritized detection insights through multiple communication channels, reducing remediation timelines and optimizing workflows.

Please don't hesitate to reach out to us if you have any further queries.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thank you.

Answer 2

Hello,

You can Create an alert policy (https://learn.microsoft.com/en-us/purview/compliance-manager-alert-policies#create-an-alert-policy) Microsoft Purview

According to the documentation, here’s how you can do it:

1. Create an Alert Policy: In Microsoft Purview Compliance Manager, you can set up an alert policy to outline the conditions that trigger an alert and the frequency of notifications.
2. Email Notifications: When a policy match is detected, an email notification is sent to the user who created the policy. You can choose to send these email notifications to additional users in your organization. Alerts occur in near real-time, and the email notifications are sent out as soon as an alert is generated.
3. Alert Investigation: You can use the alert investigation flow and the tools provided by Microsoft Purview to investigate DLP alerts.
4. Workflow Requests and Approvals: Purview approvals and task connectors have in-built email capabilities. Every time an approval/task action is triggered in workflow; it sends an email to all the users who need to act on it.

Hope this helps!

Remember to accept the answer if it is helpful.