View and manage incidents in Microsoft Defender for Business

As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal.

This article includes:

Monitor your incidents & alerts

  1. In the Microsoft 365 Defender portal (, in the navigation pane, select Incidents. Any incidents that were created are listed on the page.

    Screenshot of the Incidents list

  2. Select an alert to open its flyout pane, where you can learn more about the alert.

    Screenshot of incident selected with flyout open

  3. In the flyout pane, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert.


Defender for Business is designed to help you address detected threats by offering up recommended actions. When you view an alert, look for the recommended actions to take. Also take note of the alert severity, which is determined not only on the basis of the threat severity, but also on the level of risk to your company.

Alert severity

When Microsoft Defender Antivirus assigns an alert severity based on the absolute severity of a detected threat (malware) and the potential risk to an individual endpoint (if infected). Defender for Business assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company. The following table lists a few examples:

Scenario Alert severity and reason
Microsoft Defender Antivirus detects and stops a threat before it does any damage. Informational. The threat was stopped before any damage was done.
Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. Low. Although some damage might have been done to an individual endpoint, the malware now poses no threat to your company.
Malware that is executing is detected by Defender for Business. The malware is blocked almost immediately. Medium or High. The malware poses a threat to individual endpoints and to your company.
Suspicious behavior is detected but no remediation actions are taken yet. Low, Medium, or High. The severity depends on the degree to which the behavior poses a threat to your company.

Next steps