How do I use Microsoft 365 Security?

Overview of Tabs in 365 Security

This article provides details on each section of the Microsoft 365 Security interface.

Table of Contents


You will see the Home tab first when you log into 365 security. This has a set of ‘cards’ which by default are all active. These ‘cards’ give an overview of the health of your assets.

These cards include:

  • Threat Analytics shows active threats and alerts for those threats
  • Simulation allows you to run a simulation of threat hunting
  • Intelligence Feed shows you the most recent tweets from Microsoft Security Intelligence
  • Active Incidents shows the most recent active incidents
  • Device Health shows current active devices and any potential misconfigurations


The Incidents screen shows a list of current identified incidents that need investigation. Basic information, including severity and what services are impacted are listed.

Select an incident for a more detailed view. In the more detailed view, you can further investigate this incident.

The Summary page gives you a detailed summary of the threat, including what devices are impacted, a timeline of events related to that threat, and tags for easy organization.

The Alerts tab shows you all the alerts related to this incident, including those that may have already been solved by 365 Security automatically. This is a full view of everything that has happened in relation to this incident.

The Devices tab shows what specific devices are impacted by this incident and you can click on each device to get more details on these devices.

The Users tab is similar to the device tab but also includes the Investigation Priority column which shows a quick idea of what users are most risky with this particular incident.

In the Mailbox tab, you can click on a potentially impacted mailbox and see more details on each mailbox.

The Investigations tab lists the status of each investigation that generated an alert in 365 Security. Here you can view and sort all current and previous investigations. Click on an investigation for more details, including who last took action on the investigation.

The Evidence tab shows a summary of the evidence that has been investigated. Each entry is separated into the categories of Remediated, Malicious, Suspicious, and unremediated. Click on an evidence type to see more details on what is included in that category. Then click on the details for even more detailed summary of a single piece of evidence, this also includes a button labeled “Go Hunt”, click on this to make a custom hunting query.

Several of these incidents will be automatically remediated by Threat Protection. Once you’ve looked over the incident you can go to the Manage Incident button on the top right of the summary and toggle the Resolve Incident, then saving the incident.



This screen lists all the known security alerts. These differ from incidents in that they are part of the building block that make up an incident. An Alert is often part of an Incident, but not all alerts will be contained in Incidents, some are separate entities. The list is set up very similarly to the Incidents list and allows you an overview of potential security incidents.

Click on an alert to see detailed information on the specific alert, assets affected by the alert, and actions taken on the alert and an option to link the alert to an incident, assign to a user to investigate, or create a rule to automatically resolve/remediate this alert.

You will also see on this screen the ‘Alert Story’ which gives you a flow of what devices and accounts are affected and get quick details on each of these all on one page.


Advanced Hunting

In the Advanced Hunting tab you can create queries to investigate your assets and find threats. When you select Advanced Hunting you will see a list of the Schemas you can use to begin your query.

Each schema contains the data you can use to build a query. The Get Started page has some example queries you can use to search your data for specific events. The query tab lets you start building your query, or you can scroll down on the left and find queries that have been made by Microsoft or the Community and shared. Once you’ve built a query and found data, you can create a Detection Rule by clicking on the “Create Detection Rule” in the upper right hand corner of the query page. Here you can set what happens when a rule is detected, and how often this query is run. The Detection Rules also appear here.

An example query that looks for senders of emails that have been identified as malware would be:

//Find who sent emails identified with malware.


|where MalwareFilterVerdict == “Malware”

| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, MalwareFilterVerdict, MalwareDetectionMethod

This is built on the Kusto query language and more information on the hunting query language can be found at:


Action Center

The Action center provides a unified experience for remediation actions and an audit log. The Action center enables your security operations team to approve pending remediation actions and to remediate impacted assets. You can also review approved actions in an audit log. The Action center brings all this together across Microsoft Threat Protection security workloads.

In the History Tab you will see all remediation actions completed on assets, this includes manual and automation remediation. From here you can undo a remediation to add that asset back to the alert or incident it was a part of.


Device Inventory

This module gives you a full listing of the device assets you are designated as owner. Click on an asset to see detailed information on its exposure level, as well as current and past alerts for this device. You can click in the context menu to get more detailed information on the device, add or remove tags, isolate the device from the network, run an antivirus scan, start an automated investigation, or raise and lower the value of the device.


Vulnerability Management

The vulnerability management tool is your place to look specifically at threats to your system, as opposed to looking at devices that may be vulnerable. Here you see what is causing these vulnerabilities and are given recommendations on how best to approach them.

When you first log in to Vulnerability Management in Microsoft 365 Security, you will see the dashboard. Here you get an overview of your overall health when it comes to vulnerabilities. There are several cards here that show a quick overview of analytics such as:

  • Exposure Score which rates how vulnerable your entire unit is on a scale of 1-100
  • Microsoft Secure Score for Devices gives you percentage and score based on the collective security configuration of all devices and software on those devices
  • Device Exposure Distribution shows how many devices you have that are considered ‘easy’ targets
  • Top Events which shows recent articles written about new vulnerabilities and how many devices you have impacted by these new events
  • Top Remediation Activities tracks what remediation, if any, has been taken to remedy vulnerabilities
  • Top Vulnerable Software displays what software you have installed and on how many devices that software is vulnerable.
  • Top Exposed Devices gives a listing of devices and shows how many vulnerabilities these have, this displays the top 3 for number of vulnerabilities.
  • Top Security Recommendations gives you a quick look, based on overall impact of each, of what Windows 365 Security thinks are the best remediations to take first, in order to impact the most devices.

The Recommendations tab gives a full list of all the threats and the number of devices effected by those threats, with a recommendation on each with how best to resolve them.

Remediation gives you a complete listing of all the remediation activities that have been taken to resolve threats. Click on one for more detailed information including who did it, and when it was done.

Software Inventory shows all the software detected on devices in your network and gives each a threat score. Click on one for details including how many devise this is installed on, and on how many of those this software is exposed.

Weaknesses has a list of CVEs that are currently affecting your system and shows you how many devices you have that are currently exposed to those CVEs. Click on one for a more detailed explanation of what this CVE is, and has a link to take you to a recommendation related to this CVE.

The Event Timeline shows you when certain vulnerabilities in a specified amount of time (default is 90 days) were detected. This shows the initial number impacted devices as well as the current number.


Article ID: 2169
Fri 3/5/21 2:38 PM
Thu 3/11/21 10:54 AM