View and manage incidents and alerts
Applies to:
Multi-tenant management in Microsoft Defender XDR enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats.
You can manage incidents & alerts originating from multiple tenants under Incidents & alerts.
View and investigate incidents
To View or investigate an incident, go to the Incidents page in multi-tenant management in Microsoft Defender XDR. The Tenant name column shows which tenant the incident originates from:
Select the incident you want to view. A flyout panel opens with the incident details page:
From the incident details page you can:
- Select Open incident page to view this incident in a new tab for the specific tenant in the Microsoft Defender portal.
- Select Manage incident to assign the incident, set incident tags, set the incident status, and classify the incident.
To learn more, see Investigate incidents.
Manage multiple incidents
To manage incidents across multiple tenants:
Go to the Incidents page in multi-tenant management.
Choose the incidents you want to manage from the incidents list and select Manage incidents.
On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.
Note
Currently, you can only assign multiple incidents from same tenant.
To learn more about incidents in the Microsoft Defender portal, see Manage incidents.
View and investigate alerts
To view or investigate an alert, go to the Alerts page in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page:
From the alert details page you can:
- Select actions such as Open alerts page, See in timeline, and Tune alert to view this alert in a new tab for the specific tenant in the Microsoft Defender portal.
- Select Manage alert to assign the alert, set the alert status, and classify the alert.
To learn more, see Investigate alerts.
Manage multiple alerts
To manage alerts across multiple tenants:
Go to the Alerts page in multi-tenant management.
Choose the alerts you want to manage from the alerts list and select Manage alerts.
On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously.
Note
Currently, you can only assign multiple alerts from same tenant. To learn more about alerts in the Microsoft Defender portal, see Manage alerts.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for