Configure vulnerability email notifications in Microsoft Defender for Endpoint

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Microsoft Defender Vulnerability Management.

If you're using Defender for Business, you can set up vulnerability notifications for specific users (not roles or groups).

Note

  • Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. Learn more about permission options
  • Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added.

If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.

The email notification includes basic information about the vulnerability event. There are also links to filtered views in the Defender Vulnerability Management Security recommendations and Weaknesses pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability.

Create rules for alert notifications

Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected.

  1. Go to Microsoft 365 Defender and sign in using an account with the Security administrator or Global administrator role assigned.

  2. In the navigation pane, go to Settings > Endpoints > Email notifications > Vulnerabilities.

  3. Select Add notification rule.

  4. Name the email notification rule and include a description.

  5. Check Activate notification rule. Select Next

  6. Fill in the notification settings. Then select Next

    • If you're using Defender for Endpoint, choose device groups to get notifications for. (If you're using Defender for Business, device groups do not apply.)

    • Choose the vulnerability event(s) that you want to be notified about when they affect your organization:

      • New vulnerability found (including severity threshold)

        Note

        This includes newly detected zero-day vulnerabilities and patches released for existing zero-day vulnerabilities. For more information, see patching zero-day vulnerabilities.

      • Exploit was verified

      • New public exploit

      • Exploit added to an exploit kit

    • Include organization name if you want the organization name in the email.

  7. Enter the recipient email address then select Add. You can add multiple email addresses.

  8. Review the settings for the new email notification rule and select Create rule when you're ready to create it.

Edit a notification rule

  1. Select the notification rule you'd like to edit.

  2. Select the Edit rule button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule.

Delete notification rule

  1. Select the notification rule you'd like to delete.

  2. Select the Delete button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule.

Troubleshoot email notifications for alerts

This section lists various issues that you may encounter when using email notifications for alerts.

Problem: Intended recipients report they are not getting the notifications.

Solution: Make sure that the notifications are not blocked by email filters:

  1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.
  2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.
  3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications.