| title | Endpoint Attack Notifications | ||
|---|---|---|---|
| ms.reviewer | |||
| description | Endpoint Attack Notifications provides proactive hunting for the most important threats to your network. | ||
| ms.service | defender-endpoint | ||
| ms.author | chrisda | ||
| author | chrisda | ||
| ms.localizationpriority | medium | ||
| ms.collection |
|
||
| ms.topic | article | ||
| ms.custom |
|
||
| ms.subservice | edr | ||
| ms.date | 03/25/2025 | ||
| appliesto |
|
Note
This covers threat hunting on your Microsoft Defender for Endpoint service. However, if you're interested to explore the service beyond your current license, and proactively hunt threats not just on endpoints but also across Office 365, cloud applications, and identity, refer to Microsoft Defender Experts for Hunting.
Note
The intake of new customers to the Endpoint Attack Notifications service is currently on pause. For customers interested in a managed service, sign up the Defender Experts service request form.
Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts - Targeted Attack Notification) provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage. These notifications show up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business
- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
- Identifying the most important risks, helping SOCs maximize time and energy
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response
If you're a Microsoft Defender for Endpoint customer, you can apply for Endpoint Attack Notifications. Go to Settings > Endpoints > General > Advanced features > Endpoint Attack Notifications to apply. Once accepted, you get the benefits of Endpoint Attack Notifications.
Endpoint Attack Notifications are alerts that are hand crafted by Microsoft's managed hunting service based on suspicious activity in your environment. They can be viewed through several mediums:
- The alerts queue in the Microsoft Defender portal
- Using the API
- DeviceAlertEvents table in Advanced hunting
- Your email if you configure an email notifications rule
Endpoint Attack Notifications are identified by:
- Have a tag named Endpoint Attack Notification
- Have a service source of Microsoft Defender for Endpoint > Microsoft Defender Experts
Note
If you enrolled for Endpoint Attack Notifications but are not seeing any alerts from the service, it indicates that you have a strong security posture and are less prone to attacks.
You can create rules to send email notifications for notification recipients. See Configure alert notifications to create, edit, delete, or troubleshoot email notification, for details.
- To proactively hunt threats across endpoints, Office 365, cloud applications, and identity, refer to Microsoft Defender Experts for Hunting.