Defender for Identity notifications in Microsoft 365 Defender

Applies to:

  • Microsoft 365 Defender
  • Defender for Identity

This article explains how to work with Microsoft Defender for Identity notifications in Microsoft 365 Defender.

Important

As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.

Health issues notifications

In Microsoft 365 Defender, you can add recipients for email notifications of health issues in Defender for Identity.

  1. In Microsoft 365 Defender, go to Settings and then Identities.

The Identities option in the column Name

  1. Select Health issues notifications.

  2. Enter the recipient's email address. Select Add.

    The Health issues notifications submenu item

  3. When Defender for Identity detects a health issue, the recipients will receive an email notification with the details.

    The health issue email

    Note

    The email provides two links for further details about the issue. You can either go to the MDI Health Center or the new Health Center in M365D.

Alert notifications

In Microsoft 365 Defender, you can add recipients for email notifications of detected alerts.

  1. In Microsoft 365 Defender, go to Settings and then Identities.

    The Identities option

  2. Select Alert notifications.

  3. Enter the recipient's email address. Select Add.

    The Alert notifications submenu item

Syslog notifications

Defender for Identity can notify you when it detects suspicious activities by sending security and health alerts to your Syslog server through a nominated sensor.

Note

To learn how to integrate Defender for Identity with Microsoft Sentinel, see Microsoft 365 Defender integration with Microsoft Sentinel.

  1. In Microsoft 365 Defender, go to Settings and then Identities.

    The option of Identities in the Name column

  2. Select Syslog notifications.

  3. To enable syslog notification, set the Syslog service toggle to the on position.

    The Syslog service option that can be turned on

  4. Select Configure service. A pane will open where you can enter the details for the syslog service.

    The page on which you enter the Syslog service details

  5. Enter the following details:

    • Sensor - From the drop-down list, choose the sensor that will send the alerts.
    • Service endpoint and Port - Enter the IP address or fully qualified domain name (FQDN) for the syslog server and specify the port number. You can configure only one Syslog endpoint.
    • Transport - Select the Transport protocol (TCP or UDP).
    • Format - Select the format (RFC 3164 or RFC 5424).
  6. Select Send test SIEM notification and then verify the message is received in your Syslog infrastructure solution.

  7. Select Save.

  8. Once you've configured the Syslog service, you can choose which types of notifications (alerts or health issues) to send to your Syslog server.

    The Syslog service is configured option checked

See also