Configure vulnerability email notifications in Microsoft Defender for Endpoint
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Want to experience Defender for Endpoint? Sign up for a free trial.
Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Microsoft Defender Vulnerability Management.
If you're using Defender for Business, you can set up vulnerability notifications for specific users only (not roles or groups).
Note
- Only users with
Manage security settings
permissions can configure email notifications. If you've chosen to use basic permissions management, users with an appropriate role, such as Security Administrator, can configure email notifications. Learn more about permission options - Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.
The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they're added.
If you're using role-based access control (RBAC), recipients only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to an administrator role, such as Security Administrator, can manage notification rules that are configured for all device groups.
The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management Security recommendations and Weaknesses pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Create rules for alert notifications
Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.
Sign in to the Microsoft Defender portal and using an account with the Security Administrator role assigned.
In the navigation pane, go to Settings > Endpoints > General > Email notifications > Vulnerabilities.
Select Add notification rule.
Name the email notification rule and include a description.
Check Activate notification rule. Select Next
Fill in the notification settings. Then select Next
If you're using Defender for Endpoint, choose device groups to get notifications for. (If you're using Defender for Business, device groups don't apply.)
Choose the vulnerability event(s) that you want to be notified about when they affect your organization:
New vulnerability found (including severity threshold)
Note
This includes newly detected zero-day vulnerabilities and patches released for existing zero-day vulnerabilities. For more information, see patching zero-day vulnerabilities.
Exploit was verified
New public exploit
Exploit added to an exploit kit
Include organization name if you want the organization name in the email.
Enter the recipient email address then select Add. You can add multiple email addresses.
Review the settings for the new email notification rule and select Create rule when you're ready to create it.
Edit a notification rule
Select the notification rule you'd like to edit.
Select the Edit rule button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule.
Delete notification rule
Select the notification rule you'd like to delete.
Select the Delete button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule.
Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.
Problem: Intended recipients report they aren't getting the notifications.
Solution: Make sure that the notifications aren't blocked by email filters:
Check that the Defender for Endpoint email notifications aren't sent to the Junk Email folder. Mark them as Not junk.
Check that your email security product isn't blocking the email notifications from Defender for Endpoint.
Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.