Prioritizing Incidents in Microsoft Defender for Business

Image of two security cameras on a concrete wall.
Security is important, and we always need to keep an eye on any incidents that occur on our networks.
Source: Pixabay

Microsoft Defender for Business is best known for its ability to identify vulnerabilities. Yet, Defender goes well beyond listing vulnerabilities and providing security recommendations. It also tracks incidents that have occurred in your company. 

But when it comes to incident management, Defender for Business has a few things you should know to improve your security. In this article, I’ll explain how to access these incidents and prioritize them in 3 steps.

1. Retrieving a List of Incidents

To access a list of incidents that have occurred in your company, follow these steps:

  1. Log into Microsoft 365
  2. Open the Microsoft 365 Defender Portal
  3. Expand the Incidents and Alerts container
  4. Click on the Incidents tab

Sometimes, your Incident list shows blank, as seen below. This can happen because no incidents have occurred or because of filters currently applied.

Screenshot of a blank Incidents Page
With my two filters on, Defender for Business won’t show any incidents that don’t fall under both filters.

Looking at the figure above, you’ll notice the Filters list includes Status and Severity. Click on the X icon for each filter to remove it. It also has a date filter on the far right side of the screen. You may also need to adjust this date filter for older incidents. 

A screenshot of the same Incidents page, but with the filters removed.
Now that I’ve removed the filters, incidents begin to show up.

2. Examining an Incident

The information displayed on the Incidents screen serves as a summary. The most important thing to pay attention to on the summary screen is the Severity rating. The severity is an assessment of the severity of the malware and the potential risk it poses. When many incidents come in, it’s important to focus on the highest severity.

Clicking on an incident causes the portal to display a more detailed summary, as shown below. At the very bottom of the screen, a legend shows how many alerts are included in the incident. It also shows their seriousness. This information can also help you know which incidents to prioritize.

A screenshot of an example of an Incident Summary
Clicking on an incident causes Defender to display a more detailed incident summary.

As you can see above, the incident summary includes information on which users and devices were involved. You can also see when the incident occurred and how it was classified. If you look at the Incident Details section, you’ll notice it’s for a specific user. Microsoft allows you to give an incident to a particular user for investigation. 

Additionally, we see a link labeled Open Incident Page. Anyone assigned to investigate will click on this link to access all the details. Microsoft Defender provides an “attack story” outlining the users, devices, and processes involved in the incident. You can change the chart’s layout to meet your needs and click on individual elements for more detail. For example, you might click on Processes to get a list of the involved processes.

A screenshot of a view of the incident details in Defender for Business
The attack story outlines the incident in granular detail.

The page also includes a series of tabs you can use to look at other resources associated with the incident. These resources may have alerts, mailboxes, apps, and more.

3. Managing an Incident

Now that we’ve seen some tools that can help you investigate an incident, we’ll see how to manage and prioritize them. To manage an incident, click on it and then click on the Manage Incident link. Defender for Business will then open a screen like the one shown below.

A screenshot of a form showing the interface for managing an incident.
This is Defender for Business Incident Management details.

First, you’ll notice the Manage Incident screen prompts you for an incident name and tags. Using tags and names is optional but can be helpful if you manage a lot of incidents.

Next, you’ll see the Assign To field. This field assigns the incident to a staff member for further investigation.

The following three fields are for whoever is investigating the incident. The first of these fields is the Status field. We have three options here: Active, In Progress, or Resolved. Each of these is self-explanatory, but your company may want to define what these statuses should entail.

Next, you’ll find the Classification section. Incidents are classified as true positive, false positive, or informational, expected activity. Defender for Business offers several more specific classifications within each of these categories. For example, informational, expected activity might stem from security testing. Or an application with a known behavior mimicking a security incident.

A screenshot of a list showing several different indecent classifications in Microsoft Defender.
You can choose from tons of classifications, allowing you to have greater control over the information in Defender.

Finally, the Manage Incidents screen includes a Comments section that you can use to make notes.

The Wrap-Up

It’s normal for Microsoft 365 Defender to report incidents. Some incidents are informational or pertain to conditions that don’t signal an actual security threat. Yet, all non-informational incidents should at least be examined, emphasizing elevated incidents

With this in mind, you’ve hopefully learned a few extra tricks on how to work with Defender for Business. It’s an excellent way for small businesses to manage and investigate security incidents across your network. 

If you have more questions, check out our FAQ and Resources sections below.

FAQ

Can I get Defender for Business if I don’t have a Microsoft 365 Enterprise subscription?

Yes, although Defender comes with some Microsoft 365 Enterprise subscriptions, it’s also available as an add-on for Microsoft 365 Business. You can find information on the available Defender for Business subscriptions on their website.

When I assign an incident to a technician, where do they go to review the incidents assigned to them?

A technician investigating incidents assigned to them would go to the same Incidents screen. They can then use the Filter option to show the incidents assigned to them.

How can I keep informational events from being listed among the incidents?

The built-in filter will allow you to filter the incidents by severity. You can choose to display all incidents, informational incidents, or incidents of high, medium, or low severity. You can, of course, also show incidents with any combination of these severity levels.

Are incidents generated solely by Microsoft 365 Defender, or can they come from other sources?

At a minimum, incidents are reported by Microsoft 365 Defender. Depending on the services included in your subscription, incidents may also come from other sources in the Microsoft 365 security suite.

It just depends on the types of incidents that are being reported. After all, some incidents are entirely benign. The important thing to consider is whether the incidents that are being reported are in line with regular user activity. If the incidents don’t align, it might signify a rogue user or a compromised account.

Resources

TechGenix: Article on Integrating Microsoft Defender with the Cloud

Learn how to integrate Microsoft Defender alongside your other cloud-based security solutions

TechGenix: Article on How Windows Defender Evolved

Find out more about the growth of Microsoft Defender to the multi-faceted security solution it’s become.

Microsoft: Documentation on Defender for Business

Not all questions are easy to solve, so check out the official documentation for Defender.

Microsoft: Article on How Defender for Business Works for SMBs

Read more on the Defender plans available to small and medium-sized businesses.

Microsoft: Guide on Defender for Business’ Free Trial

Check out what you can do with a free trial of Defender for Business and get a jumpstart on your security suite.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top