Last Updated on February 19, 2024 by Michael Morten Sonne

Intoduction

Have you ever thinked about the Activity Log on indedents in the Defender Portal has been a bit “basic”, with not so many options for adding etc. text formatting like bold text, links to etc. articles on the web and so? 🤔

Then there is some new end exiting stuff for you now in public preview!

Enhanced to provide a richer audit and commenting environment, serving as an improved version of comments and history. Now, accessing the activity log directly from the incident panel via the incident queue has been made easier. Additionally, a new filtering capability has been added too – yes, more filters, allowing users to filter content to display either audit logs or comments. To select the filter control, navigate to the top of the activity log.

This is a small one, covering some new features 😊

Activity log

To add a comment, utilize the rich text editor located at the bottom of the incident activity log panel.

To find the new and enhanced Activity Log, you need to have Preview features enabled.

• Go to the Incidents – Microsoft Defender in your Defender Portal, and select a incident to look at.
  
  Here you will see a view like this, and you then click on Activity log:

• When you come to the Activity log plane, you can see the change log here – with options to add etc. a hyper link:

• To add a comment, enter it using the rich text editor located at the bottom of the Incident Activity Log panel.
• Choose Save to submit your comment. Your comment will then appear at the top of the log.

Now you can track (follow 😉) your coworkers’ tasks within the incidents, allowing you to monitor the actions performed. This feature enhances collaboration and ensures better coordination among team members while handling incidents if you are many or have many incidents! 🫡

Rich text editor

The rich text editor offers several options to enhance the changelog, providing features such as text formatting, inline images, document attachments, and collaborative editing capabilities.

The list liiks like this for now:

• Heading
• Bold text
• Italics
• Underlined
• Crossed out
• Link
• Numbering
• Points
• In and expressions
• Code formatting
• Images > Yes that´s right! Use Ctrl + V to copy and paste images directly into the editor; attaching files via the GUI is not an available option at this time.

Change incident severity

You now have the ability to manually change incident severity also. This empowers users or your SOC team to adjust the severity level of incidents based on their assessment, enabling a more accurate representation of the incident’s impact and urgency.

• To do this, select Manage Incident at the top of the incident page or in the incident side panel

• To make changes, click on Severity – Here you will then have the option to select a new severity level for the incident. After choosing the desired severity, click on save to confirm your changes.

When searching for a specific incident based on its updated severity, go to the incident overview here Incidents – Microsoft Defender.

Here apply filters for both incident and alert severity to streamline your search and quickly locate your desired incident.

This method ensures efficient incident management by focusing only on incidents based on their severity levels – to much in your view is not good to when you will focus on your work! 😎

With this new feature, filtering the incident queue by both alert and incident severity is now possible. The activity log will display the log of severity changes too:

Filter options for Activity Log

• To filter the content types and choose between displaying audit logs or etc. comments, select the filter control located at the top of the log to change the filter

Currently, it looks like there are some issues with the appearance of the portal for the filter (as of 09/01-2024). During the Private Preview stage, it functioned smoothly and effectively.

However, it seems to be experiencing some visual inconsistencies or problems in its current state. These issues are being addressed to ensure a seamless user experience – I have reported it back to the Product Manager at Microsoft.

Use cases

In the process of investigating an incident, it’s essential to document the steps taken. This documentation serves two primary purposes: ensuring accurate reporting to etc. management and facilitating seamless cooperation and collaboration among coworkers. Additionally, it’s important to access and review comments saved on the incident by other team members if somethings happen! 🙈

The mentioned features like the Activity Log enhancement, filtering options, rich text editor for comments, and the ability to change incident severity introduce several impactful use cases in incident management systems:

• Improved Documentation and Collaboration: The Activity Log’s enriched audit and commenting environment ensure comprehensive documentation of incident investigation steps. This facilitates accurate reporting to management and seamless collaboration among team members 💪
• Efficient Content Filtering: The added filtering capabilities allow users to efficiently sort and view specific content within the system, whether it’s filtering between audit logs and comments or applying filters based on incident severity, ensuring a more focused and tailored view of the data.
• Enhanced Communication through Comments: The rich text editor for comments provides various formatting options and supports image insertion, enhancing the clarity and depth of comments added to incident logs, promoting effective communication among team members.
• Flexible Incident Severity Management: The ability to manually change incident severity offers flexibility in adjusting the urgency or impact levels of incidents, aiding in better incident triaging, prioritization, and resource allocation.
• Streamlined Incident Tracking and Oversight: The feature enabling users to follow coworkers’ tasks within incidents enhances visibility and oversight of actions performed, fostering better coordination and understanding of incident progress among team members.
• Refined Incident Search and Analysis: Utilizing filters for incident and alert severity in the incident queue allows for targeted searches, helping users quickly locate incidents based on their severity levels. This aids in post-incident analysis and enables focused response strategies.

Conclusion

In summary, these enhancements and features contribute to a more comprehensive and efficient incident management system, facilitating improved communication, better decision-making, and streamlined incident handling processes within the system.

I have a profound passion for documenting my work thoroughly. I believe that meticulous documentation not only benefits my personal workflow but also serves as a valuable resource for others. I take pride in creating clear, detailed records (or, I try my best at least 😉) that can help my colleagues navigate similar tasks or projects. Contributing to a repository of knowledge allows me to empower and support those around me, fostering a culture of collaboration and continuous learning within teams I am/have been member of.

It was also for me fun to test this with the product team under the development as a member of Microsoft Customer Connection Program – www.aka.ms/JoinCCP.

This is then shared now as the announcing is public – as else, under NDA with information I cant share.

Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍

Stay tuned for the new post about something cool! 🥳