The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
- Microsoft 365 Defender
Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide clues about an incident.
In Microsoft 365 Defender, related alerts are aggregated together to form incidents. Incidents will always provide the broader context of an attack, however, analyzing alerts can be valuable when deeper analysis is required.
The Alerts queue shows the current set of alerts. You get to the alerts queue from Incidents & alerts > Alerts on the quick launch of the Microsoft 365 Defender portal.
Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear here.
By default, the alerts queue in the Microsoft 365 Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
From the default alerts queue, you can select Filters to see a Filters pane, from which you can specify a subset of the alerts. Here’s an example.
You can filter alerts according to these criteria:
- Service sources
- Impacted assets
- Automated investigation state
Required roles for Defender for Office 365 alerts
You’ll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:
- For Azure Active Directory (Azure AD) global roles:
- Global administrator
- Security administrator
- Security Operator
- Global Reader
- Security Reader
- Office 365 Security & Compliance Role Groups
- Compliance Administrator
- Organization Management
- A custom role
Analyze an alert
To see the main alert page, select the name of the alert. Here’s an example.
You can also select the Open the main alert page action from the Manage alert pane.
An alert page is composed of these sections:
- Alert story, which is the chain of events and alerts related to this alert in chronological order
- Summary details
Throughout an alert page, you can select the ellipses (…) beside any entity to see available actions, such as opening the alert page or linking the alert to another incident.
Microsoft 365 Defender alerts may come from solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and the app governance add-on for Microsoft Defender for Cloud Apps. You may notice alerts with prepended characters in the alert. The following table provides guidance to help you understand the mapping of alert sources based on the prepended character on the alert.
- The prepended GUIDs are specific only to unified experiences such as unified alerts queue, unified alerts page, unified investigation, and unified incident.
- The prepended character does not change the GUID of the alert. The only change to the GUID is the prepended component.
|Alert source||Prepended character|
|Microsoft Defender for Office 365||
|Microsoft Defender for Endpoint||
|Microsoft Defender for Identity||
|Microsoft Defender for Cloud Apps||
Analyze affected assets
The Actions taken section has a list of impacted assets, such as mailboxes, devices, and users affected by this alert.
You can also select View in action center to view the History tab of the Action center in the Microsoft 365 Defender portal.
Trace an alert’s role in the alert story
The alert story displays all assets or entities related to the alert in a process tree view. The alert in the title is the one in focus when you first land on your selected alert’s page. Assets in the alert story are expandable and clickable. They provide additional information and expedite your response by allowing you to take action right in the context of the alert page.
The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you’ve selected.
View more alert information on the details page
The details page shows the details of the selected alert, with details and actions related to it. If you select any of the affected assets or entities in the alert story, the details page changes to provide contextual information and actions for the selected object.
Once you’ve selected an entity of interest, the details page changes to display information about the selected entity type, historic information when it’s available, and options to take action on this entity directly from the alert page.
To manage an alert, select the alert in the alerts queue on its row to see a Manage alert pane. Here’s an example.
The Manage alert pane allows you to view or specify:
- The alert status (New, Resolved, In progress).
- The user account that has been assigned the alert
- The alert’s classification (Not set, True alert, False Alert).
- For the classification as a true alert, the type of threat for the alert in Determination field.
- A comment on the alert.
One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 is incrementally being rolled out and is currently in preview.
Currently, modified tag names are only applied to alerts created after the update. Alerts that were generated before the modification will not reflect the updated tag name.
From this pane, you can also perform these additional actions:
- Open the main alert page
- Consult a Microsoft threat expert
- View submission
- Link to another incident
- See the alert in a timeline
- Create a suppression rule
Here’s an example.
The list of additional actions depends on the type of alert.
Resolve an alert
Once you’re done analyzing an alert and it can be resolved, go to the Manage alert pane for the alert and mark the it status as Resolved and classify it as either a False alert or True alert. For true alerts, specify the alert’s threat type in the Determination field.
Classifying alerts and specifying their determination helps tune Microsoft 365 Defender to provide more true alerts and less false alerts.
Use Power Automate to triage alerts
Modern security operations (SecOps) teams need automation to work effectively. To focus on hunting and investigating real threats, SecOps teams use Power Automate to triage through the list of alerts and eliminate the ones that aren’t threats.
Criteria for resolving alerts
- User has Out-of-office message turned on
- User isn’t tagged as high risk
If both are true, SecOps marks the alert as legitimate travel and resolves it. A notification is posted in Microsoft Teams after the alert is resolved.
Connect Power Automate to Microsoft Defender for Cloud Apps
To create the automation, you’ll need an API token before you can connect Power Automate to Microsoft Defender for Cloud Apps.
- Click Settings, select Security extensions, and then click Add token in the API tokens tab.
- Provide a name for your token, and then click Generate. Save the token as you’ll need it later.
Create an automated flow
For the detailed step-by-step process, see the video here.
This video also describes how to connect power automate to Defender for Cloud Apps.