Utilize Microsoft 365 Defender to control incidents and notifications from Microsoft Defender for Office 365

Zaid Shaikh, Technical Support Engineer Azure/Office 365

In Microsoft 365 Defender, an incident is a group of connected alarms and related data that describes the full scope of an attack. The Incidents page in Microsoft 365 Defender at https://security.microsoft.com/incidents-queue naturally integrates and correlates Defender for Office 365 alarms, automated investigation and response (AIR), and the conclusion of the investigations. This page will be referred to as the Incidents queue.

An incident in Microsoft 365 Defender is a collection of linked alerts and associated information that details the entire spectrum of an attack. Defender for Office 365 alarms, automated investigation and response (AIR), and the resolution of the investigations are all organically integrated and correlated on the Incidents page in Microsoft 365 Defender at https://security.microsoft.com/incidents-queue. The Incidents queue will be used to refer to this page.

Alerts, investigations, and relevant data from Defender for Office 365 are automatically connected. The technology creates an incident when a relationship is found to offer security professionals access over the whole assault.

We strongly recommend that SecOps teams manage incidents and alerts from Defender for Office 365 in the Incidents queue at https://security.microsoft.com/incidents-queue. This approach has the following benefits:

Multiple management options:

· Prioritization

· Filtering

· Classification

· Tag management

You can take incidents directly from the queue or assign them to someone. Comments and comment history can help track progress.

· The associated warnings, investigations, and their data are also linked to the same event if the attack affects additional workloads that are shielded by Microsoft Defender*.

Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoints.

· Since the system provides the logic, complex correlation logic is not necessary.

· You can either generate new occurrences or add alerts to existing ones if the correlation logic is insufficient to fulfil your needs.

· Incidents are immediately updated with relevant Defender for Office 365 warnings, AIR investigations, and pending actions from investigations.

· The system immediately resolves the associated alarms if the AIR investigation reveals no threat. An incident’s status turns to Resolved after all of its alerts have been addressed.

· On the incident’s Evidence and reaction page, related evidence and response activities are automatically gathered.

· Members of the security team can directly respond to events. For instance, they can remove questionable Inbox rules from mailboxes or soft-delete emails in mailboxes.

· Only when a malicious email’s most recent delivery place is a cloud mailbox are suggested email actions made.

· According to the most recent delivery location, pending email actions are updated. The status will indicate whether a manual action has already been taken to resolve the email.

Recommended actions are created only for email and email clusters that are determined to be the most critical threats:

· Malware

· High confidence phishing

· Malicious URLs

· Malicious files

Manage incidents on the Incidents page in the Microsoft 365 Defender portal at https://security.microsoft.com/incidents-queue:

Manage incidents on the Incidents page in Microsoft Sentinel at

Responses to be made:

Using Defender for Office 365 features, security teams may respond to email in a wide range of ways:

  • In addition to deleting mails, you may do the following things with email:
  • Move to Inbox
  • Move to Junk
  • Move to Deleted Items
  • Soft delete
  • Hard delete

The history of actions is accessible on the History tab in the unified Action centre at Defender for Office 365, and actions are seamlessly incorporated into the hunting experiences.

Utilizing Microsoft 365 Defender’s built-in interface with Incidents is the most efficient course of action. On the Evidence and reaction tab of an incident in Microsoft 365 Defender, you may easily accept the actions that were suggested by AIR. For the following reasons, this tacking technique is advised:

  • You look into the whole assault narrative.
  • The inherent association between Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps works to your advantage.
  • From a single location, you may respond to emails.

Based on the outcome of a manual inquiry or hunting activity, you respond to emails. Members of the security team can respond to any emails that may still be present in cloud mailboxes using Threat Explorer. They can respond to communications delivered within your organisation (intra-org) by users. Data from Threat Explorer for the previous 30 days is accessible.

Professional Labs is the premier cloud managed service provider in Qatar. Contact us for more information
Contact Us | Professional labs (prolabsit.com)