Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Incidents & Alerts Lacking Key Details

Brass Contributor

We're new to MS Defender 365 and are starting to look into alerts/incidents - e.g., "A user clicked through to a potentially malicious URL." only to find that there is absolutely ZERO useful information on the Microsoft 365 Defender alert or incident page one would expect to find for such an alert (URL, recipient of the phishing e-mail, details regarding the phishing e-mail, etc.).

 

Granted, we have not deployed MS Defender to endpoints but that shouldn't matter since the information can be gleaned from Exchange Online. If the service knows a user clicked a potentially malicious link, for example, why does it not list which user, which URL, which message, etc.?

 

Please tell me we just need to toggle something on. The service and UI can't possibly be this bad.

2 Replies
Old news now, but see DZ534539 on the Issue History tab of the M365 admin portal Service Health leaf for the original fault and DZ534548 on the active issues list for the bad links themselves. Bear in mind that DZ534539 included alerts for known safe links so we have a mix of mostly false and some true positives in there, if my experience was representative. Still sweeping up here. 24 hours later, it seems that nothing is going to happen to the bad alerts until they age off our portals.
Thank you. I learned about the false positives after I posted but wasn't sure if the issue was attributed to the lack of data for our alerts/incidents. I'm relieved to hear that it isn't a flaw in design!