Microsoft Defender for Business is best known for its ability to identify vulnerabilities. Yet, Defender goes well beyond listing vulnerabilities and providing security recommendations. It also tracks incidents that have occurred in your company.
But when it comes to incident management, Defender for Business has a few things you should know to improve your security. In this article, I’ll explain how to access these incidents and prioritize them in 3 steps.
1. Retrieving a List of Incidents
To access a list of incidents that have occurred in your company, follow these steps:
- Log into Microsoft 365
- Open the Microsoft 365 Defender Portal
- Expand the Incidents and Alerts container
- Click on the Incidents tab
Sometimes, your Incident list shows blank, as seen below. This can happen because no incidents have occurred or because of filters that are currently applied.
Looking at the figure above, you’ll notice that the Filters list includes Status and Severity. Click on the X icon for each filter to remove it. It also has a date filter on the far right side of the screen. Additionally, you may need to adjust this date filter for older incidents.
2. Examining an Incident
The information displayed on the Incidents screen serves as a summary. The most important thing to pay attention to on the summary screen is the Severity rating. The severity is an assessment of the severity of the malware and the potential risk it poses. When many incidents come in, it’s important to focus on the highest severity.
Clicking on an incident causes the portal to display a more detailed summary, as shown below. At the very bottom of the screen, a legend shows how many alerts are included in the incident. It also shows their seriousness. This information can also help you to know which incidents to prioritize.
As you can see above, the incident summary includes information on which users and devices were involved. You can also see when the incident occurred and how it was classified. If you look at the Incident Details section, you will notice that it is for a specific user. Microsoft allows you to give an incident to a particular user for investigation.
Additionally, we see a link labeled Open Incident Page. Anyone assigned to investigate will click on this link to access all the details. Microsoft Defender provides an “attack story” outlining the users, devices, and processes involved in the incident. You can change the chart’s layout to meet your needs and click on individual elements for more detail. For example, you might click on Processes to get a list of the involved processes.
Also, the page includes a series of tabs that you can use to look at other resources associated with the incident. These resources may have alerts, mailboxes, apps, and more.
3. Managing an Incident
Now that we’ve seen some tools that can help you investigate an incident, let’s see how to manage and prioritize them. To manage an incident, click on it and then click on the Manage Incident link. Defender for Business will then open a screen like the one shown below.
First, you’ll notice the Manage Incident screen prompts you for an incident name and tags. Using tags and names is optional but can be helpful if you manage a lot of incidents.
Next, you’ll see the Assign To field. This field assigns the incident to a staff member for further investigation.
The following three fields are for whoever is investigating the incident. The first of these fields is the Status field. We have three options here: Active, In Progress, or Resolved. Each of these is self-explanatory, but your company may want to define what these statuses should entail.
Next, you’ll find the Classification section. Incidents are classified as true positive, false positive, or informational, expected activity. Defender for Business offers several more specific classifications within each of these categories. For example, informational, expected activity might stem from security testing. Or an application with a known behavior mimicking a security incident.
Finally, the Manage Incidents screen includes a Comments section that you can use to make notes.
The Wrap-Up
It’s normal for Microsoft 365 Defender to report incidents. Some incidents are informational or pertain to conditions that do not signal an actual security threat. Yet, all non-informational incidents should at least be examined, emphasizing elevated incidents
With this in mind, you’ve hopefully learned a few extra tricks on how to work with Defender for Business. It’s an excellent way for small businesses to manage and investigate security incidents across your network.
If you have more questions, check out our FAQ and Resources sections below.
FAQ
Can I get Defender for Business if I don’t have a Microsoft 365 Enterprise subscription?
Yes, although Defender comes with some Microsoft 365 Enterprise subscriptions, it’s also available as an add-on for Microsoft 365 Business. You can find information on the available Defender for Business subscriptions on their website.
When I assign an incident to a technician, where do they go to review the incidents assigned to them?
A technician investigating incidents assigned to them would go to the same Incidents screen. They can then use the Filter option to show the incidents assigned to them.
How can I keep informational events from being listed among the incidents?
The built-in filter will allow you to filter the incidents by severity. You can choose to display all incidents, informational incidents, or incidents of high, medium, or low severity. You can, of course, also show incidents with any combination of these severity levels.
Are incidents generated solely by Microsoft 365 Defender, or can they come from other sources?
At a minimum, incidents are reported by Microsoft 365 Defender. Depending on the services included in your subscription, incidents may also come from other sources in the Microsoft 365 security suite.
Should I be concerned if I keep seeing incidents related to a specific user account?
It just depends on the types of incidents that are being reported. After all, some incidents are entirely benign. The important thing to consider is whether the incidents that are being reported are in line with regular user activity. If the incidents don’t align, it might signify a rogue user or a compromised account.
Resources
TechGenix: Article on Integrating Microsoft Defender with the Cloud
Learn how to integrate Microsoft Defender alongside your other cloud-based security solutions.
TechGenix: Article on How Windows Defender Evolved
Find out more about the growth of Microsoft Defender to the multi-faceted security solution it’s become.
Microsoft: Documentation on Defender for Business
Not all questions are easy to solve, so check out the official documentation for Defender.
Microsoft: Article on How Defender for Business Works for SMBs
Read more on the Defender plans available to small and medium-sized businesses.
Microsoft: Guide on Defender for Business’ Free Trial
Check out what you can do with a free trial of Defender for Business and get a jumpstart on your security suite.