Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Incidents/Actions need an UI overhaul

Bronze Contributor

Lately, we've been receiving a few policy alerts, specifically "Malware campaign detected after delivery", which means that I, as an admin, probably should step in and take some action. This is the first time I had to analyze this kind of information in the "Security & Compliance Center". Overall I think the UI for this kind of analysis is not very intuitive. Here are the rough steps that I took and where I think the problems are:

 

  • Firstly I received the policy email alert about "Malware campaign detected after delivery". This mail includes a link to "view alert details" which leads me to "Alerts > View Alerts". There you can see the messages, and only if you look VERY CLOSELY do you notice a small text link at the bottom "View Messages in Explorer". I've only found that link now that I'm writing this "review"
  • Unfortunately this link only leads to the Explorer itself, and not a filterted list of the flagged messages, even though the text link would suggest so
  • after you manually search for the messages from your alert, you get a "narrow" list view on the bottom third of your display. My display is 27" (QHD) and I can only see 4 full message rows. That is a horrible way to select a lot of messages, especially since SHIFT-CLICK does not work
  • After you select the wanted messages you can create actions, which in turn create an incident.
  • I love that you as an admin can remove messages after the fact, but ...
  • last week I created an incident where I selected multiple message to be hard deleted. The incident status remains open. I assume I have to close it manually, in addition to manually resolving the triggered alert from above?
  • Also the action log of that incident states that only 1 out of many selected messages is queued. What about the rest and why is only 1 action queued for over a week with no result?
  • today I created another incident with 73 affected messages. This time the action log is more forthcoming, with a total of 73 items, removing 22 was a success and 0 had a failure. Those numbers again don't add up, what about the rest? No information what so every.

 

 

 

0 Replies