Export incidents queue to CSV files


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

The Export feature allows you to export the data in the incident queue that is displayed according to the applied filters and time ranges. It's available in the form of a button named Export, as displayed in the following screenshot:

Shows the Export button in the Incidents page  of the Microsoft 365 Defender portal

When you click the Export button, the data is exported to a CSV file. You can apply various filters and time ranges to the incidents queue (not just in the context of exporting the data, but in a generic context). When you select Export, whichever filters and/or time ranges are applied to the incidents queue, such data is exported to the CSV file.

Once you export the incidents queue-related data onto the CSV file, you can analyze the data and filter it further, based on your requirements.

For example, for the data on the CSV file, you can apply filters to view the following data:

  • Data regarding how many high-severity incidents you had in the last 30 days.
  • Data regarding who is your most productive analyst.


The maximum number of records you can export to a CSV file is 10,000.

If you have thoughts or suggestions about the new Export feature (the Export button) for the incident queue, contact Microsoft team or send your feedback through the Microsoft 365 Defender portal.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.