Incident response with Microsoft Defender XDR
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack.
Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.
Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident.
Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, you can see:
- Where the attack started.
- What tactics were used.
- How far the attack has gone into your tenant.
- The scope of the attack, such as how many devices, users, and mailboxes were impacted.
- All of the data associated with the attack.
If enabled, Microsoft Defender XDR can automatically investigate and resolve alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack.
Incidents and alerts in the Microsoft Defender portal
You manage incidents from Incidents & alerts > Incidents on the quick launch of the Microsoft Defender portal. Here's an example.
Selecting an incident name displays the entire attack story of the incident, including:
- Alert page within incident: The scope of alerts related to the incident and their information on the same tab.
- Graph: A visual representation of the attack that connects the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
You can view the entity details directly from the graph and act on them with response options like file delete or device isolation.
The additional tabs for an incident are:
Attack story
The full story of the attack, including all the alerts, assets, and remediation actions taken.
Alerts
All the alerts related to the incident and their information.
Assets
All the assets (devices, users, mailboxes, and apps) that have been identified to be part of or related to the incident.
Investigations
All the automated investigations triggered by alerts in the incident.
Evidence and Response
All the supported events and suspicious entities in the alerts of the incident.
Summary
A quick overview of the impacted assets associated with alerts.
Note
If you see an Unsupported alert type alert status, it means that automated investigation capabilities cannot pick up that alert to run an automated investigation. However, you can investigate these alerts manually.
Example incident response workflow for Microsoft Defender XDR
Here's an example workflow for responding to incidents in Microsoft 365 with the Microsoft Defender portal.
On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
- Triaging to determining the highest priority incidents through filtering and sorting of the incident queue.
- Managing incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
Consider these steps for your own incident response workflow:
For each incident, begin an attack and alert investigation and analysis:
View the attack story of the incident to understand its scope, severity, detection source, and what entities are affected.
Begin analyzing the alerts to understand their origin, scope, and severity with the alert story within the incident.
As needed, gather information on impacted devices, users, and mailboxes with the graph. Right click on any entity to open a flyout with all the details.
See how Microsoft Defender XDR has automatically resolved some alerts with the Investigations tab.
As needed, use information in the data set for the incident for more information with the Evidence and Response tab.
After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat.
As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident.
Resolve the incident and take time for post-incident learning to:
- Understand the type of the attack and its impact.
- Research the attack in Threat Analytics and the security community for a security attack trend.
- Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed.
- Determine whether changes in your security configuration are needed and implement them.
If you're new to security analysis, see the introduction to responding to your first incident for additional information and to step through an example incident.
For more information about incident response across Microsoft products, see this article.
Example security operations for Microsoft Defender XDR
Here's an example of security operations (SecOps) for Microsoft Defender XDR.
Daily tasks can include:
- Managing incidents
- Reviewing automated investigation and response (AIR) actions in the Action center
- Reviewing the latest Threat Analytics
- Responding to incidents
Monthly tasks can include:
- Reviewing AIR settings
- Reviewing Secure Score and Microsoft Defender Vulnerability Management
- Reporting to your IT security management chain
Quarterly tasks can include a report and briefing of security results to the Chief Information Security Officer (CISO).
Annual tasks can include conducting a major incident or breach exercise to test your staff, systems, and processes.
Daily, monthly, quarterly, and annual tasks can be used to update or refine processes, policies, and security configurations.
See Integrating Microsoft Defender XDR into your security operations for more details.
SecOps resources across Microsoft products
For more information about SecOps across Microsoft's products, see these resources:
Get incident notifications by email
You can set up Microsoft Defender XDR to notify your staff with an email about new incidents or updates to existing incidents. You can choose to get notifications based on:
- Alert severity
- Alert sources
- Device group
To set up email notifications for incidents, see get email notifications on incidents.
Training for security analysts
Use this learning module from Microsoft Learn to understand how to use Microsoft Defender XDR to manage incidents and alerts.
| Training: | Investigate incidents with Microsoft Defender XDR |
|---|---|
 |
Microsoft Defender XDR unifies threat data from multiple services and uses AI to combine them into incidents and alerts. Learn how to minimize the time between an incident and its management for subsequent response and resolution. 27 min - 6 Units |
Next steps
Use the listed steps based on your experience level or role on your security team.
Experience level
Follow this table for your level of experience with security analysis and incident response.
| Level | Steps |
|---|---|
| New |
|
| Experienced |
|
Security team role
Follow this table based on your security team role.
| Role | Steps |
|---|---|
| Incident responder (Tier 1) | Get started with the incident queue from the Incidents page of the Microsoft Defender portal. From here you can:
|
| Security investigator or analyst (Tier 2) |
|
| Advanced security analyst or threat hunter (Tier 3) |
|
| SOC manager | See how to integrate Microsoft Defender XDR into your Security Operations Center (SOC). |
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for