Forum Discussion
Auditing / Configuring Defender Alerts/Rules/Emails/Notifications
Hey there!
I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process.
Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings
So starting from https://security.microsoft.com/ for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in
| Incident Notifs | M365 Defender > Email Notifs > Incidents | https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=incidents&tid=<EachCustomerTenantID> |
| Actions | M365 Defender > Email Notifs > Actions | https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=actions&tid=<EachCustomerTenantID> |
| Threat Analytics | M365 Defender > Email Notifs > Threat Analytics | https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=threat_analytics&tid=<EachCustomerTenantID> |
| Alert Tuning/Suppression | M365 Defender > Alert Tuning | https://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID> |
| Endpoint Alerts | Endpoints > Email Notifications > Alerts | https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid=<EachCustomerTenantID> |
| Endpoint Vulnerabilities | Endpoints > Email Notifications > Vulnerabilities | https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabilities&tid=<EachCustomerTenantID> |
| Identity Health Notifs | Microsoft Defender for Identity > Health Issues | https://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID> |
| Identity Alerts | Microsoft Defender for Identity > Alert | https://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID> |
I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on.
However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level)
The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings
or
https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications.
The list above is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them other than manually. Does anyone have an idea?