Configuring Alerts


I need help with configuring Alerts. To get started, I setup an alert for a simple query:


WDAVThreat | where ThreatStatus == "Remediated"


Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time. 


How do I accomplish my goal?


Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?

2 Replies


I would suggest reading my blog post on this topic:

The scenario I am proposing can be used in your case I think as it is universal.

I do not have information on the ITSM connection but I believe there are no controls on automatically populating certain data from the alert to go into specific fields of the incident/event.