Security Alerts
Monitor and respond to security alerts from Microsoft 365 Defender, Azure AD Identity Protection, and other Microsoft security services. Alerts indicate potential security incidents requiring investigation.
Alert Dashboard
- 8 — High Severity
- 23 — Medium Severity
- 47 — Low Severity
- 156 — Informational
Alert List
| Column | Description |
|---|---|
| Severity | High, Medium, Low, Informational |
| Title | Alert name and brief description |
| Status | New, In Progress, Resolved |
| Category | Alert category (Malware, Phishing, etc.) |
| Source | Which service generated the alert |
| Affected Entity | User, device, or resource involved |
| Created | When alert was generated |
| Assigned To | Analyst handling the alert |
Alert Sources
Microsoft Defender for Endpoint
Alerts from endpoint detection and response. Malware, suspicious behavior, lateral movement, and persistence techniques.
Tags: Malware, Suspicious Activity, Ransomware
Microsoft Defender for Office 365
Email-based threats. Phishing campaigns, malicious attachments, BEC attempts, and Safe Links/Attachments detections.
Tags: Phishing, Malware, BEC
Azure AD Identity Protection
Identity-based risks. Leaked credentials, impossible travel, anonymous IP, malware-linked IPs, and suspicious sign-in patterns.
Tags: Compromised User, Risky Sign-in
Microsoft Defender for Cloud Apps
Cloud app security alerts. Suspicious OAuth apps, mass downloads, impossible travel, and data exfiltration patterns.
Tags: Data Exfiltration, Risky OAuth
Microsoft Defender for Identity
On-premises AD threats. Credential theft, reconnaissance, lateral movement, and domain dominance attempts.
Tags: Pass-the-Hash, Reconnaissance
Alert Severity
- High — Active threat requiring immediate response. Active malware, confirmed compromise, ongoing attack. Investigate within 1 hour.
- Medium — Potential threat requiring investigation. Suspicious behavior, policy violations, risky sign-ins. Investigate within 24 hours.
- Low — Minor issues or noise. May indicate reconnaissance or false positives. Review during normal operations.
- Informational — Awareness only. Normal activity flagged for visibility. No action typically required.
Alert Investigation
- Review Alert Details — Understand what triggered the alert, affected entities, and timeline.
- Check Related Alerts — Look for correlated alerts that may indicate broader attack.
- Examine Evidence — Review logs, files, processes, and network activity.
- Determine Scope — Identify all affected users, devices, and data.
- Take Action — Contain threat, remediate, and document findings.
Alert Status
- New — Alert hasn’t been reviewed yet.
- In Progress — Alert is being investigated.
- Resolved — Investigation complete, issue addressed.
- Dismissed — False positive or not actionable.
Response Actions
Take action directly from alert details:
User Actions
- Reset password
- Revoke sessions
- Block sign-in
- Require MFA re-registration
- Mark user as compromised
Device Actions
- Isolate device
- Run antivirus scan
- Collect investigation package
- Restrict app execution
- Initiate investigation
API Reference
GET /api/security/alerts— List security alerts with filtersGET /api/security/alerts/:id— Get alert detailsPATCH /api/security/alerts/:id— Update alert statusPOST /api/security/alerts/:id/comments— Add investigation notesGET /api/security/alerts/statistics— Get alert counts by severity/category