AD5.12 Module Summary

Module Summary

This module built the monitoring cadence that transforms your four deployed security layers into an operational security program. Without monitoring, controls work silently — catching threats nobody knows about, generating alerts nobody reads, and drifting from their configured state with nobody noticing. With monitoring, every signal is reviewed, every incident is classified, and every drift is caught within 7 days.

You built the 15-minute Monday security review — five checks across three portals that cover all four security layers in one pass: the Defender incident queue for active threats, the sign-in log for credential compromise indicators, Secure Score for configuration drift, email threat reports for phishing that bypassed filters, and the compliance dashboard plus DLP Activity Explorer for device health and data protection. Each check has specific targets, expected outcomes, and escalation triggers.

You learned to navigate the Defender portal incident queue — filtering for severity, opening incidents, and reading the attack story through the 4-question framework: what happened, who's affected, was it blocked, and what do I do. You learned to classify incidents correctly (TP, FP, BTP) with documented reasoning that feeds back to Microsoft's detection engine and provides an audit trail for compliance.

You configured alert notifications — high-severity alerts email you immediately, medium-severity arrive in a daily digest, and low/informational are handled during the Monday review. This severity-based approach prevents alert fatigue while ensuring critical events get prompt attention. You established response time expectations and documented them for your manager.

You integrated Secure Score into your weekly health check — validating that controls deployed in Modules AD1-AD4 remain active, investigating score drops that indicate configuration drift, and using the improvement action list to identify your next security priorities. You built the sign-in log review procedure — the specific PowerShell queries and investigation steps that catch credential compromise through unfamiliar IPs, unusual times, CA failures, and the "MFA satisfied by claim" pattern that indicates AiTM token replay.

You consolidated everything into an integrated monitoring cadence: weekly reviews, monthly metric collection, and quarterly reporting — totalling approximately 28 hours per year for a complete, evidence-based security monitoring program.

What you built

• Monday security review checklist (5 checks, 15 minutes)
• Defender incident queue navigation with saved filters
• 4-question attack story reading framework
• TP/FP/BTP classification procedure with feedback loop
• Alert notification rules (High: immediate, Medium: daily, Low: Monday review)
• Response time commitment document for manager
• Secure Score weekly health check integrated into Monday review
• Sign-in log review PowerShell scripts (risky sign-ins, CA failures, after-hours)
• Integrated monitoring cadence (weekly/monthly/quarterly)
• Weekly security log (the operational record and compliance evidence)
• Escalation decision tree with contact sheet and handoff template

What changed at NE

NE's security program is now fully operational across five domains: identity controls deployed and monitored, email protection deployed and monitored, device compliance deployed and monitored, data protection deployed and monitored, and the monitoring cadence itself — structured, documented, and sustainable. The Monday review catches issues within 7 days instead of discovering them by accident weeks later. Alert notifications push critical events to the admin within minutes. The quarterly report demonstrates continuous monitoring with 13 weekly data points per quarter. Total time commitment: 30-45 minutes per week.

What's next

Module AD6 covers basic incident response — the detailed response procedures for when monitoring catches a confirmed incident. Module AD7 covers security governance and program documentation — the policies, reports, and evidence packages that formalize the security program. With technical controls (AD1-AD4), monitoring (AD5), response (AD6), and governance (AD7) in place, the program is complete: deployed, monitored, response-ready, and documented.