Important
Microsoft Defender for Business is now in preview, and will roll out gradually to customers and IT Partners who sign-up here to request it. We will onboard an initial set of customers and partners in the coming weeks and will expand the preview leading up to general availability. Note that preview will launch with an initial set of scenarios, and we will be adding capabilities regularly.
Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
As threats are detected and alerts are triggered, incidents are created. Your company’s security team can view and manage incidents in the Microsoft 365 Defender portal.
This article includes:
Monitor your incidents & alerts
- In the Microsoft 365 Defender portal (https://security.microsoft.com), in the navigation pane, select Incidents. Any incidents that were created are listed on the page.
- Select an alert to open its flyout pane, where you can learn more about the alert.
- In the flyout pane, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.
Tip
Microsoft Defender for Business (preview) is designed to help you address detected threats by offering up recommended actions. When you view an alert, look for the recommended actions to take. Also take note of the alert severity, which is determined not only on the basis of the threat severity, but also on the level of risk to your company.
Alert severity
When Microsoft Defender Antivirus assigns an alert severity based on the absolute severity of a detected threat (malware) and the potential risk to an individual endpoint (if infected). Microsoft Defender for Business (preview) assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company. The following table lists a few examples:
Scenario | Alert severity | Reason |
---|---|---|
Microsoft Defender Antivirus detects and stops a threat before it does any damage. | Informational | The threat was stopped before any damage was done. |
Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. | Low | Although some damage might have been done to an individual endpoint, the malware now poses no threat to your company. |
Malware that is executing is detected by Microsoft Defender for Business (preview). The malware is blocked almost immediately. | Medium or High | The malware poses a threat to individual endpoints and to your company. |
Suspicious behavior is detected but no remediation actions are taken yet. | Low, Medium, or High | The severity depends on the degree to which the behavior poses a threat to your company. |