Lately, we've been receiving a few policy alerts, specifically "Malware campaign detected after delivery", which means that I, as an admin, probably should step in and take some action. This is the first time I had to analyze this kind of information in the "Security & Compliance Center". Overall I think the UI for this kind of analysis is not very intuitive. Here are the rough steps that I took and where I think the problems are:
Firstly I received the policy email alert about "Malware campaign detected after delivery". This mail includes a link to "view alert details" which leads me to "Alerts > View Alerts". There you can see the messages, and only if you look VERY CLOSELY do you notice a small text link at the bottom "View Messages in Explorer". I've only found that link now that I'm writing this "review"
Unfortunately this link only leads to the Explorer itself, and not a filterted list of the flagged messages, even though the text link would suggest so
after you manually search for the messages from your alert, you get a "narrow" list view on the bottom third of your display. My display is 27" (QHD) and I can only see 4 full message rows. That is a horrible way to select a lot of messages, especially since SHIFT-CLICK does not work
After you select the wanted messages you can create actions, which in turn create an incident.
I love that you as an admin can remove messages after the fact, but ...
last week I created an incident where I selected multiple message to be hard deleted. The incident status remains open. I assume I have to close it manually, in addition to manually resolving the triggered alert from above?
Also the action log of that incident states that only 1 out of many selected messages is queued. What about the rest and why is only 1 action queued for over a week with no result?
today I created another incident with 73 affected messages. This time the action log is more forthcoming, with a total of 73 items, removing 22 was a success and 0 had a failure. Those numbers again don't add up, what about the rest? No information what so every.