Email notification when a automation investigation has started

Aran Billen 701 Reputation points

Hi all,

Is it possible for me as an admin to receive email notification if an automation investigation has taken place on a device / user?

Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint Training
Microsoft Defender for Endpoint: A Microsoft unified security platform for preventative protection, postbreach detection, and automated investigation and response. Previously known as Microsoft Defender Advanced Threat Protection.Training: Instruction to develop new skills.
20 questions
0 comments No comments
{count} votes

Accepted answer
  1. kguntaka 1,015 Reputation points Microsoft Vendor

    Hi Aran Billen,

    Thank you for reaching out to us on the Microsoft Q&A forum.

    In addition to Carlos Solís Salazar,

    it's possible to set up email notifications for automation investigations on devices or users, depending on the software or tools you're using for automation and investigation.

    As an administrator, you have the ability to configure email notifications for tracking automation investigations within Microsoft Defender XDR. Here's a guide on how to do it:

    1. Setting Up Email Notifications for Actions in Microsoft Defender XDR:
      • Microsoft Defender XDR now offers support for email notifications for both automated and manual actions. These notifications enhance alignment among stakeholders and provide real-time insight into remedial actions.
      • You can opt to receive email notifications for the following scenarios:
      • Automated Attack Intervention:
        • In the event of an automated action triggered by an ongoing attack you can establish a rule to inform relevant teams (IT, SOC, and helpdesk) via email.
        • This swift awareness enables teams to promptly investigate and address issues, ensuring affected users are swiftly back online.
      • Sensitive Actions on Critical Assets:
        • For critical assets like domain controllers (DCs), you have the option to create a rule that notifies you whenever a 'live response' session is either successfully established or fails.
        • This feature assists the SOC team in staying abreast of significant actions concerning vital assets.
    2. Configuring Custom Automated Email Alerts in Other Systems:
      • In addition to Microsoft Defender XDR, various other systems offer the capability to configure customized automated email alerts. For instance, in Inductive Automation, you can configure alerts for specified alarms, thereby enhancing response times to system events.
      • Similarly, CrowdStrike's Workflows empower analysts with prioritized detection insights through multiple communication channels, reducing remediation timelines and optimizing workflows.

    Please don't hesitate to reach out to us if you have any further queries.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Thank you.

1 additional answer

Sort by: Most helpful
  1. Carlos Solís Salazar 17,021 Reputation points MVP


    You can Create an alert policy ( Microsoft Purview

    According to the documentation, here’s how you can do it:

    1. Create an Alert Policy: In Microsoft Purview Compliance Manager, you can set up an alert policy to outline the conditions that trigger an alert and the frequency of notifications.
    2. Email Notifications: When a policy match is detected, an email notification is sent to the user who created the policy. You can choose to send these email notifications to additional users in your organization. Alerts occur in near real-time, and the email notifications are sent out as soon as an alert is generated.
    3. Alert Investigation: You can use the alert investigation flow and the tools provided by Microsoft Purview to investigate DLP alerts.
    4. Workflow Requests and Approvals: Purview approvals and task connectors have in-built email capabilities. Every time an approval/task action is triggered in workflow; it sends an email to all the users who need to act on it.

    Hope this helps!

    Remember to accept the answer if it is helpful.

    0 comments No comments