Microsoft Defender for Endpoint: Alert Notification Rules

Alert Notification Rules

Question

Microsoft Defender for Endpoint gives configuration selections for alerts and detections.

These include notifications, custom indicators, and detection rules.

Which filter is a part of an Alert notification rule?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Incident notifications > Create rule

@ Basics

@ Notification settings

Recipients

Review rule

Notification settings

Alert severity ©

(Select alert severity)

Device group scope [MDE service only] ©

@alidevice groups
Affects all current and future device groups in your organization.

O Selected device groups
Choose device groups to get notifications for

(only notify on first occurrence per incident
include organization name

Ll nclude tenant-specific portal link

When an alert is triggered in Microsoft Defender for Endpoint, an Alert notification rule can be used to define how the alert should be handled. This includes options such as sending an email, creating a ticket, or triggering an automated action.

One of the filters that can be set as part of an Alert notification rule is Alert Severity. Alert Severity is a measure of the potential impact of an alert. Alerts are assigned a severity level based on the potential harm that they represent.

For example, a low-severity alert might indicate that a suspicious file has been detected on a single machine, while a high-severity alert might indicate that a critical system has been compromised.

By setting Alert Severity as a filter in an Alert notification rule, an organization can ensure that the right people are notified when important alerts are triggered. For example, a high-severity alert might trigger an immediate email to the security team, while a low-severity alert might simply be added to a log for future reference.

The other options listed in the question are also important filters that can be set as part of an Alert notification rule:

  • Subject IDs: This filter allows alerts to be filtered based on the user or device that triggered them.
  • Account: This filter allows alerts to be filtered based on the account that was targeted or affected.
  • Alert IDs: This filter allows alerts to be filtered based on their unique identifier within the Microsoft Defender for Endpoint system.

In summary, while all of the options listed are important filters that can be set as part of an Alert notification rule, Alert Severity is the one specifically mentioned in the question.