How to configure Elements Endpoint Detection and Response alert email ONLY to be sent when severe or high risk level happened?

Issue:

Normally, the alert notification email from EDR will be sent when a detection with he risk level at "Severe", "High" and "Medium" has been added to the portal, but is it possible to configure the alert email that ONLY will be notified when "Severe" or "high" risk level has happened? Is it possible to filter the email alerts coming from EDR? I don't want to get a lot of low risk alert emails, but only medium and higher. Or only higher or severe etc.

Resolution:

From the Management > Organization Settings > Detection and Reponse settings tab, it is not possible to edit which classification EDR detections would send emails.

In this case, you have to use this workaround to generate an email report that only goes when there is High or Severe level detection:

Log in to the Elements portal
Go to Events > Security Events
Apply these two filters:
- Source Equals EDR
- Severity Equals Action needed
Open the view menu on the top right corner and select "Save as" at the bottom of the menu
Give the view a descriptive name and save it
Go to Reports > Email notification and report
Click Add email report
Give it a name you want to see in your email subject
For Data source select Security Events
For template select the view you previously created
Configure schedule and recipient (continuous will send email every even 10 minutes if a new event has appeared)
Leave the Send only when report has content toggle enabled
Click Save

This report report is sent whenever High or Severe level detection appears on that Security Events page. Unfortunately, it is not possible to choose to send emails only about Severe level detections, because on the Security Events page that Severity equals Action needed filter includes both High and Severe level detections.

We will be improving those reporting and email features this year, but there is no specific estimate at this time.

Here you need to note that if you are trying to send a test report from that new report using the Send test report button, remember to first temporarily disable Send only when report has content, because if there is no content in the report, the test report will not be sent either.

Here is an in more detail explanation why the test report is not being sent: https://community.withsecure.com/en/kb/articles/31416-no-test-report-sent-when-security-events-source-is-used-for-elements-email-notification-and-report