Forum Discussion
Notification for pending actions
I'm having an issue where Defender isn't notifying me on pending actions like deleting an email and it's not waiting long enough for me to approve actions.
Example: An email is delivered at 6pm (after hours) with a malicious URL. Defender detects it and ZAPs the URL automatically and sends me a useless alert "Email messages containing malicious URL removed after delivery". Sometimes this alert requires my intervention, sometimes not but the same alert comes through every time so I have to check every time. The next morning I come in around 8 and see the useless alerts and go to my Actions queue and all the pending actions have now timed out so now I'm hunting to get rid of these messages.
If I could get notified when I need to take action I can disable the useless alert telling me it zapped a URL as not every ZAP requires Admin intervention. I could also configure this "admin approval required" alert to text me so I can take action immediately instead of the next time I check my email.
I have 2 questions:
1. How do I setup Defender to send me a notification whenever I have pending actions?
2. How can I change the default behavior of the automated investigations? Ideally, if Defender finds a bad URL or attachment I'd rather have it just soft delete without my intervention.
5 Replies
Bradley Fox Did you manage to solve your problem? Currently having the same issue. I saw there is new notification rules section in Settings > Microsoft Defender XDR > Email notifications then Actions tab, but it only covers Failed and Completed. No Pending actions...
- Nope, I wrote a PowerShell script with graph API to query for investigations with pending actions and send me an email alert. I'm out of the office today or I'd share it with you.
Bradley Fox could you please share that PowerShell script ?
I would also love to know if this is possible...
Bradley Fox I have these exact 2 questions.... Anyone discover anything in the past year on this??
