Skip to content
Recued
Menu
← Back to recipes

Microsoft Defender endpoint security digest

by recued-core v1

Scheduled read-only Microsoft Defender for Endpoint security digest. It reads bounded pages of active alerts, high-risk machines, recent machine actions, security recommendations, vulnerabilities, and the organizational exposure score through recued-core.microsoft-defender-endpoint, renders compact tables, and optionally sends an in-app nudge when matching alerts or machines are visible. It never runs advanced hunting passthrough, live response, offboarding, antivirus scans, file quarantine actions, package collection, tag mutation, indicator mutation, bulk alert updates, raw exports, or arbitrary Defender APIs.

How it works 31 steps

Inspect the data fetches, transforms, gates, and output this recipe runs.

Process (31 steps)
alerts_raw ?
machines_raw ?
actions_raw ?
recommendations_raw ?
vulnerabilities_raw ?
exposure_score ?
alerts default
Apply default
machines default
Apply default
actions default
Apply default
recommendations default
Apply default
vulnerabilities default
Apply default
alert_count count
Count items in alerts
machine_count count
Count items in machines
action_count count
Count items in actions
recommendation_count count
Count items in recommendations
vulnerability_count count
Count items in vulnerabilities
has_alerts compare
Check if alert count is greater than 0
has_machines compare
Check if machine count is greater than 0
has_findings any
Check if any of the conditions are true
notify_enabled compare
Check if setting notify when findings equals true
should_notify all
Check if all conditions are true
notify ?
skip: step.should_notify not_equal true
alert_rows slice
Take a subset of
machine_rows slice
Take a subset of
recommendation_rows slice
Take a subset of
vulnerability_rows slice
Take a subset of
alert_table to_table
Format results as a data table
machine_table to_table
Format results as a data table
recommendation_table to_table
Format results as a data table
vulnerability_table to_table
Format results as a data table
card to_summary
Format results as a summary card
Settings 12 configurable

Configurable at install. Defaults shown — change them anytime in Recued.

channels setting = in_app
end hour setting = 10
weekdays setting = 1,2,3,4,5
row limit setting = 20
start hour setting = 8
alert filter setting = status ne 'Resolved' and severity ne 'Informational'
machine filter setting = riskScore ne 'None' or exposureLevel ne 'None'
microsoft defender setting =
notify when findings setting = true
vulnerability filter setting = severity eq 'Critical' or severity eq 'High'
machine action filter setting = status ne 'Succeeded'
recommendation filter setting = status eq 'Active'

Trust & control

What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Device + server Runs on your device (browser) or your server.

Permissions it requires

Send notificationsRead your Microsoft-defender connection
Declared by the recipe — Recued grants these at install, where you review them before approving.

About

Tags

microsoft-defender-endpoint microsoft-defender-endpointdefender-for-endpointendpoint-securityedralertsmachinesvulnerabilitiessecurity-recommendationsdigestnotificationpack:microsoft-defender-endpoint

Details

31 steps 12 configurable settings recipe_id: microsoft-defender-endpoint-security-digest