Real-Time Microsoft Defender Notifications

The problem with Defender's default notifications

Microsoft Defender for Endpoint can send email notifications when incidents are created. For many teams, that is the entire alerting pipeline: Defender detects something, an email goes out, and someone is supposed to notice it and act.

In practice, that process has well-documented failure modes. The email competes with everything else in your inbox. It arrives on a schedule that depends on your mail provider, not on the urgency of the incident. There is no acknowledgement mechanism, so nobody knows whether anyone has seen it. And if the person who should respond is away from their desk, the email sits there until they happen to check.

We wrote about this in detail in why email-based Defender alerting fails. The short version is that email is informational, not operational. It was never designed for time-sensitive security response.

How SOC Anywhere handles notifications

SOC Anywhere syncs your Defender environment continuously in the background. When a new incident is created or an existing incident receives new alerts, the system sends a push notification to every team member who has opted in. The notification arrives on their phone within seconds, not on an email sync cycle.

Unlike email, these notifications are configurable at the individual level. Each team member controls their own notification preferences:

• Severity filtering — choose which severity levels trigger notifications: Informational, Low, Medium, or High. Most teams start with Medium and above and adjust from there.
• Quiet hours — set per-day quiet hours so notifications are suppressed during off-duty periods. Useful for teams with defined on-call windows rather than round-the-clock coverage.
• Muted incidents — suppress notifications for specific incident display names that recur frequently and do not need immediate attention. Muted incidents are still visible in the app, they just stop sending push notifications.

Notifications work on both the web app (as a PWA installed on your home screen) and the native mobile app for iOS and Android. The delivery mechanism is different, but the behaviour is the same: a push notification that takes you directly to the incident when tapped.

What happens after the notification

The difference between SOC Anywhere notifications and most alerting tools is what happens after you open the notification. Rather than landing on a portal that was designed for desktop, you open directly into a mobile-optimized incident view where you can actually do something useful.

From the incident detail screen, you can see the full incident with its alerts and evidence, review any matching playbooks that document your team's response procedure, check related incidents to understand whether this is part of a pattern, read evidence notes from previous investigations, and take action: update the status, classify the incident, assign it to a team member, or add a comment that syncs back to the Defender portal.

The entire flow from notification to triage decision can happen on your phone, without opening a laptop or navigating to the security portal.

New incident and update notifications

SOC Anywhere sends two types of notifications. New incident notifications fire when Defender creates an incident that was not previously in your environment. Update notifications fire when new alerts are added to an existing incident, which often indicates escalating or expanding activity.

Both types respect your severity filters, quiet hours, and muted incident settings. The notification itself tells you the incident name, severity, and whether it is new or updated, so you can decide within seconds whether it needs immediate attention.

Web and mobile delivery

SOC Anywhere supports push notifications through two channels. The web app is a progressive web app (PWA) that you can install on your phone's home screen. Once installed, it receives push notifications through your browser's notification system, so it works like a native app without going through an app store.

There is also a native mobile app built with Flutter for iOS and Android. It uses Firebase Cloud Messaging for push delivery, which is the same notification infrastructure used by most major apps. If you prefer a native app experience, the mobile app provides that with identical functionality to the web version.

Both channels can be active at the same time. If you have the PWA installed on your tablet and the native app on your phone, you will receive notifications on both. Notification preferences are per-user and apply regardless of which app you are using.

What this replaces

SOC Anywhere notifications are designed to replace the email-based alerting pipeline for teams that need faster and more reliable delivery. You do not need to disable Defender's built-in email notifications if you still want them as a backup, but most teams find that once they have push notifications working, the emails become redundant.

For teams that have built custom notification pipelines using Logic Apps, Azure Functions, or the Streaming API, SOC Anywhere replaces the need for that custom infrastructure. The sync and notification pipeline is managed for you. If you have been routing Defender notifications through Teams or Slack, the comparison with chat-based alerting explains where those approaches fall short.

If you are currently relying on email and want to understand why it fails as an operational alerting channel, the email alerting post covers it in detail. If you suspect your Defender notification rules are misconfigured, the missed alerts checklist walks through the common issues. For a broader overview of all the available options, see the complete guide to real-time Defender notifications.