This blog post is all about alert management in M365 security solutions. Even though there are new capabilities launched to the security solutions that make security analysts’ life easier such as Microsoft Defender ATP automatic investigation and remediation you still need to manage incidents and alerts in the Microsoft 365 security solutions. This is the third blog post of the series and earlier ones can be found from site:

Setting Up The Scene – The Security Providers

What are the security providers? Security providers in Microsoft cloud are the solutions that detect threats & anomalies and create alerts (+ incidents) based on the policies and collected data. These providers send processed alerts also to the Intelligent Security Graph (ISG). At the time of writing, supported security providers in ISG are:

  • Azure Security Center (ASC)
  • Azure AD Identity Protection (IPC)
  • Microsoft Cloud App Security
  • Microsoft Defender ATP (MDATP)
  • Azure ATP (AATP)
  • Office 365
  • Azure Information Protection
  • Azure Sentinel

Internal Integrations

The picture below doesn’t cover all possible security solutions and integration scenarios, it rather gives overall understanding which solutions can be used to investigate alerts and suspicious activity in the cloud or on-premises.

The best synergy advantages come with the integrations between security solutions. In the top category are the solutions which, in my opinion, are the best ones to start the investigation.

Naturally, if Sentinel is in use it triggers the alert, and the investigation starts from there. It could also be replaced by 3rd party SIEM (Splunk, QRadar, etc). Both Sentinel and Microsoft 365 Threat Protection suite have a rich set of capabilities for investigation and contain a number of data from the user identity, device identity, and network traffic.

Microsoft 365 Security Center which contains Microsoft Threat Protection aka MTP features (launched in early 2020) is the newest addition to the toolbox. Let’s take a closer look at what it brings to the table in terms of alert management in the next chapter.

Options For Alert Management

One of the main challenges with Microsoft security solutions is that alert status is not synced across solutions. Case example could be the following:

  • You found alert in MCAS
  • Its resource provider is Azure ATP
  • You do the necessary investigation and resolve the alert in MCAS
  • The alert status still remains as “NewAlert” in Azure ATP, ISG, and new status update is not synced across the solutions

How you can address the problem? Here are a couple of options I tested (not a comprehensive list), take into account that I only tested the solutions that should be capable to handle alerts from other sources than itself only based on documentation:

  • Microsoft 365 Security Center with Microsoft Threat Protection (MTP) suite
  • Intelligent Security Graph
  • Azure Sentinel Playbooks

Microsoft Threat Protection (MTP) Suite

According to Microsoft, M365 Security Center is a new home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

“Microsoft Threat Protection is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks”.

If your environment has proper licenses, the Microsoft Threat Protection suite can be enabled to M365 Security Center. Worth to mention is, it will be enabled automatically to all eligible tenants quite soon, read more from this here.

If you want to read more about the MTP I recommend starting from here. I do not cover MTP in general here, rather focusing on managing incidents & alerts.

Microsoft Threat Protection Suite (MTP) – Game Changer?

I have been struggling with alert management in recent months in multiple environments and it was mind-blowing to see new MTP suite capabilities in M365 Security Center which really helps for managing alerts and incidents.

In M365 Security Center there are incidents & alerts (description from

  • Incidents
    • Microsoft Threat Protection connects the dots on individual alerts. Suspicious events that show characteristics of being part of a larger attack are aggregated into an incident.
  • Alerts
    • The basis of all incidents is alert. Alerts are created when a malicious event or activity is seen on your network. Individual alerts provide valuable clues in what’s happening on individual events or entities. 

Example 1 – Microsoft Defender ATP Incident

Defender ATP incident is naturally found from “Microsoft Defender Security Center” portal.

The same incident is also found from M365 Security Center, where it can be also managed underneath “manage incident”.

When you click “manage incident” you land to the Incident page where you can find all the necessary information related to the incident. As you can see, the activity times are identical in both Security Centers.

When you resolve the incident from M365 Security Center through MTP capabilities it’s resolved from both

  • M365 Security Center aka Microsoft Threat Protection
  • Microsoft Defender Security Center

What’s happening behind the scenes…

Example 2 – Microsoft Cloud App Security Incident

In the second example, we have the MCAS incident in MTP which contains Cloud App Security alerts (MCAS doesn’t have incidents) in Microsoft Threat Protection ( portal.

The same alert is naturally found from Cloud App Security portal.

After resolving incident (which also resolves open alerts) we can see that all detections are resolved in both MTP & MCAS, just splendid:)

Example 3 – O365 Security & Compliance Center Alert

If you manage the alerts in the MTP portal you can see that the alert contains link to the detection source, to M365 Security & Compliance Center in this case.

Here is a slight difference to earlier examples (to incident management), the alerts cannot be modified in the MTP portal. On the alert page, there is a link to the O365 Security & Compliance portal where alert needs to be managed.

When you resolve the alert from O365 Security & Compliance Center, the alert status will be synced to MTP. Again, this a brilliant feature which I have been missing a lot.

Intelligent Security Graph

According to Microsoft: to be successful with threat intelligence, you must have a large diverse set of data and you have to apply it to your processes and tools.

The data sources include specialized security sources, insights from dark markets (criminal forums), and learning from incident response engagements. Key takeaways from the slide:

  • Products send data to graph
  • Products use Interflow APIs to access results
  • Products generate data which feeds back into the graph
Picture from Microsoft CISO series workshop

In later blog posts, I will dig more deeply into the Security Graph features. At the time of writing, the following solutions are providers to the ISG (GET & PATCH):

  • Azure Security Center (ASC)
  • Azure AD Identity Protection (IPC)
  • Microsoft Cloud App Security (MCAS)
  • Microsoft Defender ATP (MDATP)
  • Azure ATP (AATP)
  • Office 365
  • Azure Information Protection
  • Azure Sentinel

With the alert update capability, you can sync the status of specific alerts across different security products and services that are integrated with the Microsoft Graph Security API by updating your alerts entity.

Support for GET alerts, PATCH alerts (updates are available via the Microsoft Graph Security API but might not be exposed in the provider’s management experience).

Note: Unfortunately, it seems that alert status is not synced back from ISG to the security solution itself which means that even you updated the alert status in ISG it will remain open in the ISG providers (Identity Protection, Cloud App Security etc.). I tested with the following security solutions:

  • Azure Sentinel
  • Azure Security Center
  • Microsoft Cloud App Security
  • Microsoft Defender ATP
  • Azure AD Identity Protection

Azure Sentinel Playbooks

With Azure Sentinel Playbooks and SOAR capabilities, there is a possibility to manage incidents and alerts through security solution API’s. In such scenario, you most propably need quite many Playbooks and lots of planning to build integrations which fit to your scenario.

Below is one example, where:

  • Alert provider is Azure Security Center
  • Azure Sentinel Playbook (Logic Apps) is used to close incident from Sentinel and Azure Security Center
  • Playbook template “Close-Incident-ASCAlert” is used created by @SwiftSolves


I was stunned in a positive way to realize M365 and MTP suite capabilities in incident & alert management. There are still some gaps but most probably M365 MTP suite development pace is staggering as with many other products.

I have seen scenarios where alerts are integrated and managed directly with the security solution API. Totally doable but not covered in this blog post. I will address API’s in later posts.

Until next time!