Enterprise security teams can use Microsoft 365 Defender to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.

You can use Microsoft 365 Defender to:

  • View, sort, and triage alerts from your endpoints
  • Search for more information on observed indicators such as files and IP Addresses
  • Change Microsoft Defender for Endpoint settings, including time zone and review licensing information

Microsoft 365 Defender

When you open the portal, you’ll see:

  • (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
  • (2) Search, Community center, Localization, Help and support, Feedback

Microsoft Defender for Endpoint portal.


Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.

You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.

Area Description
(1) Navigation pane Use the navigation pane to move between DashboardsIncidentsDevices listAlerts queueAutomated investigationsAdvanced huntingReportsPartners & APIsThreat & Vulnerability ManagementEvaluation and tutorialsService healthConfiguration management, and Settings. Select the horizontal lines at the top of the navigation pane to show or hide it.
Dashboards Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
Incidents View alerts that have been aggregated as incidents.
Devices list Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
Alerts queue View alerts generated from devices in your organizations.
Automated investigations Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
Advanced hunting Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
Reports View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
Partners & APIs View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
Threat & Vulnerability management View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
Evaluation and tutorials Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
Service health Provides information on the current status of the Defender for Endpoint service. You’ll be able to verify that the service health is healthy or if there are current issues.
Configuration management Displays on-boarded devices, your organizations’ security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
Settings Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
(2) Search, Community center, Localization, Help and support, Feedback Search by device, file, user, URL, IP, vulnerability, software, and recommendation. Search supports the use of SHA1 and SHA256 cryptographic hash formats.Community center – Access the Community center to learn, collaborate, and share experiences about the product.

Localization – Set time zones.

Help and support – Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert.

Feedback – Provide comments about what you like or what we can do better.


For devices with high resolution DPI scaling issues, please see Windows scaling issues for high-DPI devices for possible solutions.

Microsoft Defender for Endpoint icons

The following table provides information on the icons used all throughout the portal:

Icon Description
ATP logo icon. Microsoft Defender for Endpoint logo
Alert icon. Alert: Indication of an activity correlated with advanced attacks.
Detection icon. Detection: Indication of a malware threat detection.
Active threat icon. Active threat: Threats actively executing at the time of detection.
Remediated icon1. Remediated: Threat removed from the device.
Not remediated icon. Not remediated: Threat not removed from the device.
Thunderbolt icon. Indicates events that triggered an alert in the Alert process tree.
Device icon. Device icon
Microsoft Defender AV events icon. Microsoft Defender Antivirus events
Application Guard events icon. Windows Defender Application Guard events
Device Guard events icon. Windows Defender Device Guard events
Exploit Guard events icon. Windows Defender Exploit Guard events
SmartScreen events icon. Windows Defender SmartScreen events
Firewall events icon. Windows Firewall events
Response action icon. Response action
Process events icon. Process events
Network communication events icon. Network events
File observed events icon. File events
Registry events icon. Registry events
Module load DLL events icon. Load DLL events
Other events icon. Other events
Access token modification icon. Access token modification
File creation icon. File creation
Signer icon. Signer
File path icon. File path
Command line icon. Command line
Unsigned file icon. Unsigned file
Process tree icon. Process tree
Memory allocation icon. Memory allocation
Process injection icon. Process injection
PowerShell command run icon. PowerShell command run
Community center icon. Community center
Notifications icon. Notifications
No threats found. Automated investigation – no threats found
Failed icon. Automated investigation – failed
Partially remediated icon. Automated investigation – partially investigated
Terminated by system. Automated investigation – terminated by system
Pending icon. Automated investigation – pending
Running icon. Automated investigation – running
Remediated icon2. Automated investigation – remediated
Partially investigated icon. Automated investigation – partially remediated
Threat insights icon. Threat & Vulnerability Management – threat insights
Possible active alert icon. Threat & Vulnerability Management – possible active alert
Recommendation insights icon. Threat & Vulnerability Management – recommendation insights

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.