Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Auditing/Configuring the Rules/Notifications/Alert email addresses

Brass Contributor

Hey there! 
I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process.

Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings

So starting from https://security.microsoft.com for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in

 

 

Incident NotifsM365 Defender > Email Notifs > Incidentshttps://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
ActionsM365 Defender > Email Notifs > Actionshttps://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
Threat AnalyticsM365 Defender > Email Notifs > Threat Analyticshttps://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID>
Alert Tuning/SuppressionM365 Defender > Alert Tuninghttps://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID>
Endpoint AlertsEndpoints > Email Notifications > Alertshttps://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid...<EachCustomerTenantID>
Endpoint VulnerabilitiesEndpoints > Email Notifications > Vulnerabilitieshttps://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabil...<EachCustomerTenantID>
Identity Health NotifsMicrosoft Defender for Identity > Health Issueshttps://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID>
Identity AlertsMicrosoft Defender for Identity > Alerthttps://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID>
1 Reply
I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on.



However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level)



The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings

thumbnail image 9 of blog post titled











Identity Protection alerts now available in Microsoft 365 Defender















or https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications.

The list in my previous post is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them