Log in to the Microsoft account for the environment you are monitoring and/or responding to security alerts for.

Microsoft 365 Copilot app – Microsoft

Click sign in/account widget in the top right of the webpage.

Log in with your school or kura Microsoft account.

Once logged in to Office 365, navigate to the Security Portal by searching for ‘Security’ in the Office 365 search bar as shown below.

Click the ‘Security’ app. This will open a new tab in your browser. The new tab will load to a dashboard which looks like the one below.

It’s a good idea to bookmark this page so in future you can access the portal directly.

In the security portal, navigate to ‘Settings’ in the menu and then ‘Endpoints’.

Next select ‘General’ and then ‘Email Notifications’.

Create a notification rule with the email addresses of staff you want to be alerted.

Remember to refer to your incident response plan if you have an alert that requires you to respond.

Once logged into the Microsoft Defender for Endpoint Portal, navigate to ‘Incident & Alerts' under the 'Investigation & Response’ option in the sidebar menu.

Under this ‘Incident & Alerts' dropdown, you will see several different types of alerts. The primary ones for Defender for Endpoint Security Alerts are 'Alerts’ and 'Incidents'.

• Alerts are standalone security detections.
• Incidents are similar detections that have been grouped together. They may be alerts occurring on the same device, from the same user or appear to be similar in what is being alerted on.

In the alerts or incident pages, you’ll see a list of all alerts/incidents within the selected time period. The default is 1 week. This can be changed to different periods of 1 day to 6 months.

Clicking on an alert will open a sidebar with initial information. This side bar will include the following at the top:

• status of the alert
• severity of the alert
• state of the detected behaviour/activity.

Additionally, within the side bar will be information specific to the alert, such as the user, device involved, what the detected behaviour was and recommendations.

The buttons at the top of the sidebar are:

• Open Alert Page – this will pivot you into the full view of the alert, providing more information on the detected activity.
• Manage Alert – this will open a new sidebar, where you can set the attributes of the alert such as status, assigned to, classification and comment.

Open the ‘recommendation’ tab of the alert page, as shown below. Follow the listed actions, checking the alert ‘details' tab of the alert page for the required information.