Windows Defender Admin Portal Guide

Medium and High alerts are the most severe and urgent alerts that indicate a possible threat

activity or compromise in your environment. They require immediate attention and response

from security operators and admins.

To view and manage high alerts, you need to go to the Microsoft Defender portal

at security.microsoft.com and sign in using an account with the appropriate role assigned.

You can access various security portals from the Microsoft Defender portal by selecting More

resources in the navigation pane.

On the Microsoft Defender portal, you can see the current set of alerts under Incidents &

alerts > Alerts. You can filter the alerts by severity, status, service sources, entities, and

automated investigation state. You can also sort the alerts by date, severity, or status.

To see the main alert page, select the name of the alert. The alert page shows the alert story,

which is the chain of events and alerts related to this alert in chronological order, and the

summary details, which include the alert ID, severity, status, category, description, affected

entities, and more.

You can manage alerts by selecting the ellipses (…) beside any entity or alert to see available

actions, such as linking the alert to another incident, changing the alert status, assigning the

alert to someone, adding comments, or dismissing the alert.

You can also create alert policies and email notifications to customize how alerts are

ge nerated and sent to you. To create alert policies, go to Email & collaboration > Policies &

rules > Alert policy. To create email notifications, go to Settings > Endpoints > General > Email

notifications.

Here are some screenshots of the Microsoft Defender

administration portal:

The Microsoft Defender portal homepage:

The main alert page:

The alert policy page:

The email notifications page:

To edit an alert, you need to select the alert from the Alerts queue or the Alerts tab of the

Device page. This will open the Alert management pane, where you can see the details and

actions for the alert. You can link the alert to anoth er incident, assign the alert to someone,

change the alert status, add comments, or dismiss the alert by selecting the ellipses (…)

beside the alert or the entity. 

To resolve an alert, you need to change its status to Resolved. You can do this by selecting

the ellipses (…) beside the alert and choosing Change status > Resolved. You can also select

multiple alerts and resolve them in bulk by selecting the checkbox beside each alert and

choosing Change status > Resolved from the top menu. 

To create a suppression rule for an alert, you need to select Settings, MS Defender XDR, Alert

Tuning . This will open a dialog box where you can specify the context and the conditions for

the suppression rule. You can choose to suppress ( the alert or resolve automatically. on

this device only or in your entire organization. You can also choose to match the alert titl e,

the indicator of compromise, or both. Once you create the suppression rule, it will apply to

future alerts that match the criteria.

Here are some more screenshots of the Microsoft Defender administration portal:

The Alert management pane:

The Alert Tuning dialog box:

Isolate a Device

Open the Microsoft Defender for Business portal. 

Navigate to Assets and click on Devices.

Check the box next to the machine you want to isolate.

At the top of the page, select the ellipsis (three dots) and choose Contain device.

Run Antivirus Scans

You have two options for running scans:

Microsoft Intune Admin Center

Sign in to the Microsoft Intune admin center.

From the sidebar, select Devices All Devices.

Choose the specific device you want to scan.

Click More and select either Quick Scan (recommended) or Full Scan.

Microsoft Defender Portal

Sign in to the Microsoft Defender portal.

Go to the device page for the target device.

Click on the ellipsis (three dots).

Select Run Antivirus Scan.

Choose either Quick Scan or Full Scan.

Add a comment if needed.