Forum Discussion

Tobias_Moe's avatar
Tobias_Moe
Copper Contributor
Mar 13, 2024

Removing old M365 Defender incident email notification

Hi,

 

Does anyone know where I can turn off the old M365 Defender incident email notifications? A while back I setup alerting for High incidents using this, but I cannot find that same notification rule anymore to remove it. I have checked Defender XDR Email notifications view, but the old rule from M365 dosent exists there. And I know it exists, because my new email notification rule in Defender XDR is set to email me for Medium and High alerts, but for all High alert I am getting duplicate notifications. 

  • Joe Hahn's avatar
    Joe Hahn
    Copper Contributor
    Tobias,
    On the Defender Home page expand the Email & collaboration heading, click Policies & rules, then click Alert Policy. If you dont see what your looking for try double checking in your Exchange Admin Center: Home > Mail flow > Alert Policies. Let me know if this helps.
    • Tobias_Moe's avatar
      Tobias_Moe
      Copper Contributor
      Hi Joe, thank you for the reply. I did check those places mentioned by you but did not find a solution to my issue.
      Back when it was M365 Defender, I setup an alert in Defender dashboard to email me about High severity incidents from Defender. When M365 Defender changed in Defender XDR, it changed the placement for configuring email notifications for Defender alerts, and after setting up the new way I am still getting duplicate emails. One for the old M365 Defender email notification, and one for the Defender XDR one.
  • DylanInfosec's avatar
    DylanInfosec
    Brass Contributor
    Hi Tobias,
    I remember that screen and it definitely did move didn’t it.

    On the XDR portal have you tried scrolling down to Settings > Microsoft Defender XDR > Email Notifications? It should be right there under General.

    This is also where you get the Threat Analytics reports in the 3rd tab. And the menu below that is the Alert Service settings for the other Defender for Cloud and Entra ID Protection alerts.

    Best,
    Dylan
    • Tobias_Moe's avatar
      Tobias_Moe
      Copper Contributor
      Hello! Thank you for the response Dylan, and apologies for the delayed response from my side.

      The Email Notifications under Settings -> Defender XDR is where I setup the new email notification. Changing this has no effect on the old email configuration. I am still getting duplicate alerts, and I have noticed that some of my customers are also experiencing the same problem.

      I think MS have removed the old email configuration page, but somehow forgot to remove the rules itself?

Resources