Sign In
In this module

AD5 — Security Monitoring and Alert Triage

5-6 hours · Module 5 · Free

Security Monitoring and Alert Triage

You've deployed four security layers — identity, email, devices, and data. Each one generates alerts, logs, and metrics. But deploying controls and monitoring them are different activities. A conditional access policy that blocks an AiTM token replay generates an alert in the sign-in log. A Safe Links click on a phishing URL generates an alert in the Defender portal. A DLP policy match generates an entry in the Activity Explorer. A non-compliant device generates a compliance notification in Intune. If nobody checks these alerts, the controls are working but nobody knows it — and the one time a control fails, nobody notices until the damage is done.

This module builds the monitoring cadence that turns deployed controls into a security program: the 15-minute Monday morning review that checks sign-ins, email threats, device health, and data protection in one pass. You'll learn to navigate the Defender portal incident queue, read the attack story that incidents tell, classify alerts correctly (true positive, false positive, benign true positive), configure notifications so the important alerts come to you, and use Secure Score as a weekly health check that validates your controls are still active.

The result: your security program is not just deployed — it's watched. You catch issues before they become incidents, and you catch incidents before they become breaches.

What you will learn

  • The 15-minute Monday security review: what to check and in what order
  • Navigating the Defender portal incident queue and understanding incident structure
  • Reading the attack story: entities, evidence, alerts, and timeline
  • Alert classification: true positive, false positive, benign true positive — and why it matters
  • Configuring email notifications for high-severity alerts
  • Secure Score as a security health check: what to improve and what to defer
  • The sign-in log review that catches compromised accounts early
  • Integrating DLP, compliance, and email monitoring into one review cadence
  • What to escalate and when: the IT admin's triage decision tree
  • Building the weekly security review as a sustainable habit

Subsections

AD5.1 Why Monitoring Is the Fifth Priority · AD5.2 The 15-Minute Monday Security Review · AD5.3 Navigating the Defender Portal Incident Queue · AD5.4 Reading the Attack Story · AD5.5 Classifying Alerts: TP, FP, and BTP · AD5.6 Configuring Alert Notifications · AD5.7 Secure Score as a Weekly Health Check · AD5.8 Sign-In Log Review for Early Detection · AD5.9 Integrating All Monitoring into One Cadence · AD5.10 When to Escalate · AD5.11 Interactive Lab: Security Monitoring Exercise · AD5.12 Module Summary · AD5.13 Check My Knowledge

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →