Edit

Share via

View and manage incidents and alerts in Microsoft Defender multitenant management

  • Article
  • Applies to:
    Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

Multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. Triage incidents and alerts across security information and event management (SIEM) and extended detection and response (XDR) data for tenants that onboarded a Microsoft Sentinel workspace to the unified security operations platform.

Manage incidents & alerts originating from multiple tenants under Incidents & alerts.

View and investigate incidents

To view or investigate an incident:

  1. Go to the Incidents page in Microsoft Defender multitenant management. The Tenant name column shows which tenant the incident originates from:

    Screenshot of the Microsoft Defender multitenant incidents page.

  2. Select the incident you want to view. A flyout panel opens with the incident details page:

    Screenshot of the Microsoft Defender multitenant incidents details page.

  3. From the incident details page you can:

  • Select Open incident page to view this incident in a new tab for the specific tenant in the Microsoft Defender portal.
  • Select Manage incident to assign the incident, set incident tags, set the incident status, and classify the incident.

To learn more, see Investigate incidents.

Manage multiple incidents

To manage incidents across multiple tenants:

  1. Go to the Incidents page in Microsoft Defender multitenant management.

  2. Choose the incidents you want to manage from the incidents list and select Manage incidents.

    Screenshot that highlights the manage incidents option on the incidents page in Microsoft Defender multitenant management.

On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.

Note

Currently, you can only assign multiple incidents from same tenant.

To learn more about incidents in the Microsoft Defender portal, see Manage incidents.

View and investigate alerts

To view or investigate an alert:

  1. Go to the Alerts page in multitenant management and select the alert you want to view. A flyout panel opens with the alert details page:

    Screenshot of alert details page for an alert in Microsoft Defender multitenant management.

  2. From the alert details page you can:

  • Select actions such as Open alerts page, See in timeline, and Tune alert to view this alert in a new tab for the specific tenant in the Microsoft Defender portal.
  • Select Manage alert to assign the alert, set the alert status, and classify the alert.

To learn more, see Investigate alerts.

Manage multiple alerts

To manage alerts across multiple tenants:

  1. Go to the Alerts page in Microsoft Defender multitenant management.

  2. Choose the alerts you want to manage from the alerts list and select Manage alerts.

    Screenshot that highlights the manage alerts option for selected alerts in Microsoft Defender multitenant management.

On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously.

Note

Currently, you can only assign multiple alerts from same tenant. To learn more about alerts in the Microsoft Defender portal, see Manage alerts.

Related content