Investigate and respond to endpoint threats using Microsoft Defender

  • 9 minutes

After devices are onboarded to Microsoft Defender, security teams can use the Microsoft Defender portal to investigate endpoint threats and respond to incidents. Defender collects signals from devices and brings them together in the Microsoft Defender portal with alerts, incidents, evidence, affected assets, and response actions for a single investigation experience.

Understand incidents and alerts

In the Microsoft Defender portal, an alert represents a suspicious or malicious activity detected in the environment. Alerts can come from Defender's endpoint security capabilities and other Microsoft security services. Defender correlates related alerts into incidents, which help analysts understand the broader attack story instead of investigating each alert separately.

An incident can include several important details:

  • Alerts that triggered the incident.
  • Devices, users, files, processes, services, IP addresses, and other entities involved.
  • A timeline of related activity.
  • Evidence and response status.
  • Automated investigation details.
  • Recommended or completed remediation actions.

This structure helps security teams move from a single detection to a full understanding of what happened, which devices were affected, and what actions are needed.

Investigate endpoint threats

After opening an incident, begin with triage. Review the incident title, severity, category, affected assets, detection sources, and summary. The goal is to answer four questions: What happened? Which devices and users are affected? Is the threat still active? What is the potential business impact?

For deeper analysis, open the related alert. The alert page helps analysts investigate the details of suspicious activity. The Microsoft Defender portal shows alerts in the alerts queue and allows filtering by severity, status, category, service or detection source, tags, product name, impacted entities, automated investigation state, and other criteria. These filters help analysts prioritize which alerts require immediate attention.

For endpoint threats, investigation often includes reviewing:

  • Suspicious process activity
  • Parent-child process relationships
  • Command-line activity
  • Malicious or suspicious files
  • Registry or file-system changes
  • Network connections to suspicious IP addresses or domains
  • Users signed in to affected devices
  • Other devices or users connected to the same indicators

The incident and alert views also help analysts review evidence and entities. Evidence can include files, processes, devices, users, IP addresses, domains, and other objects connected to the incident. The attack story and incident graph help show relationships between alerts, entities, and affected assets, making it easier to identify attacker movement or determine whether the alert is isolated.

For device-level investigation, open the affected device page. From the device page, analysts can review device details, related alerts, signed-in users, timeline activity, exposure information, and available response actions. This helps trace what happened before, during, and after the detection.

Respond to endpoint threats

After investigation confirms a threat, select response actions based on severity, affected assets, and business impact. Defender provides manual response actions from the device page, including initiating automated investigation, starting a Live Response session, collecting an investigation package, running an antivirus scan, restricting app execution, isolating a device, containing a device, consulting a threat expert, and opening the Action center.

A typical endpoint response workflow is:

  1. Confirm whether the alert is a true threat.
  2. Identify affected devices, users, files, and network indicators.
  3. Isolate or contain affected devices when the threat is active or spreading.
  4. Stop or quarantine malicious files and processes.
  5. Run antivirus scans or collect investigation packages when more evidence is needed.
  6. Search for related indicators across other devices.
  7. Remediate the root cause, such as vulnerable software, weak configuration, or compromised credentials.
  8. Update the incident status, classification, and notes.

Automated investigation and response, or AIR, can reduce manual effort by analyzing evidence, assigning verdicts such as malicious, suspicious, or no threats found, and recommending or taking remediation actions. Examples of remediation actions include quarantining a file, stopping a process, isolating a device, or blocking a URL. Depending on configuration, actions can run automatically or wait for analyst approval in the Action center.

Use automation to accelerate routine investigations, but continue to review high-impact actions carefully, especially when an incident involves privileged accounts, sensitive users, production devices, or signs of lateral movement.

Use Copilot to enhance Defender investigations

Microsoft Security Copilot can support Defender investigations, but it should be treated as an enhancement rather than the core investigation workflow. Analysts can use Copilot to summarize incidents, explain alert details, identify affected devices or users, generate investigation questions, help with queries, and suggest remediation actions. Microsoft Defender remains the primary tool for reviewing evidence and taking response actions.

For example, Copilot can help create an incident summary, highlight important entities, explain what happened in the attack timeline, and produce recommendations for technical or executive audiences. Analysts should still validate important findings in Microsoft Defender before taking high-impact actions such as isolating devices, blocking files, or resetting privileged accounts.

Promptbooks can also support repeatable investigation workflows. A promptbook is useful when analysts need to run a structured investigation, such as reviewing an incident, analyzing a suspicious script, assessing the impact of a CVE, investigating a user, or researching a threat actor. The output can help summarize findings, identify indicators of compromise, assess business risk, and recommend remediation steps.