Responding to your first incident in Microsoft Defender XDR
Article
Applies to:
Microsoft Defender XDR
This guide lists Microsoft resources for new Microsoft Defender XDR users to confidently perform day-to-day incident response tasks while using the portal. The intended results of using this guide are:
You'll quickly learn to use Microsoft Defender XDR to respond to incidents and alerts.
You'll discover the portal's features to aid incident investigation and remediation through the videos and tutorials.
Understanding incidents: accessing, triaging, and managing incidents within the portal
Analyzing attacks: a collection of videos and tutorials on how to investigate specific attacks using the portal's features.
Remediating attacks: lists the automated and manual actions that are available within the portal to remediate threats. This section includes links to videos and tutorials.
Understanding incidents
An incident is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attack's complete context instead of triaging hundreds of alerts from multiple services.
Microsoft Defender XDR has many features that you can use to respond to an incident. You can navigate the incidents by selecting View all incidents in the Active incidents card on the Home page or through Incidents & alerts on the left navigation pane.
Figure 1. Active incidents card on the Microsoft Defender XDR home page
Figure 2. Incident queue
Each incident contains automatically correlated alerts from different detection sources and might involve various endpoints, identities, or cloud apps.
Incident triage
Incident prioritization varies per responder, security team, and organization. Incident response plans and security teams' direction can mandate incident priority.
Microsoft Defender XDR has various indicators like incident severity, types of users, or threat types to triage and prioritize incidents. You can use any combination of these indicators readily available through the incident queue filters.
An example of determining incident priority is combining the following factors for an incident:
The incident has a high severity.
The automation investigation state failed.
There are 5 impacted assets where two of the assets are tagged with highly confidential data sensitivity.
The incident status is new.
The incident is unassigned to any team member for investigation.
You might assign a high priority to the incident using the information above. You can begin your incident investigation once a priority is determined.
Note
Microsoft Defender XDR automatically determines filters like severity, investigation states, impacted assets, and incident statuses. The information is based on your organization's network activities contextualized with threat intelligence feeds and the automated remediation actions applied.
Manage incidents
You can contribute to incident management efficiency by providing essential information in incidents and alerts. When you add information to the following filters from when you triage and analyze each incident, you provide further context to that incident that other responders can take advantage of: