Rediģēt

Kopīgot, izmantojot


Link query results to an incident

Applies to:

  • Microsoft Defender XDR

You can use the link to incident feature to add advanced hunting query results to a new or existing incident under investigation. This feature helps you easily capture records from advanced hunting activities, which enables you to create a richer timeline or context of events regarding an incident.

  1. In the advanced hunting query page, first enter your query in the query field provided then select Run query to get your results.

    The Query page in the Microsoft Defender portal

  2. In the Results page, select the events or records that are related to a new or current investigation you're working on, then select Link to incident.

    The Link to incident option of the Results tab in the Microsoft Defender portal

  3. Find the Alert details section in the Link to incident pane, then select Create new incident to convert the events to alerts and group them to a new incident:

    The Alert details section in the Link to incident pane in the Microsoft Defender portal

    Or select Link to an existing incident to add the selected records to an existing one. Choose the related incident from the dropdown list of existing incidents. You can also enter the first few characters of the incident name or ID to find the existing incident.

    The Alert details section in the Microsoft Defender portal

  4. For either selection, provide the following details, then select Next:

    • Alert title - provide a descriptive title for the results that your incident responders can understand. This descriptive title becomes the alert title.
    • Severity - Choose the severity applicable to the group of alerts.
    • Category - Choose the appropriate threat category for the alerts.
    • Description - Give a helpful description for the grouped alerts.
    • Recommended actions - Provide remediation actions.
  5. In the Impacted entities section, select the main affected or impacted entity. Only the applicable entities based on the query results appear in this section. In our example, we used a query to find events related to a possible email exfiltration incident, therefore the Sender is the impacted entity. If there are four different senders, for instance, four alerts are created and linked to the chosen incident.

    The impacted entity in the Link to incident section in the Microsoft Defender portal

  6. Select Next.

  7. Review the details you've provided in the Summary section. The results page in the Link to incident section in the Microsoft Defender portal

  8. Select Done.

View linked records in the incident

You can select the incident name to view the incident that the events are linked to. The event details screen in the Summary tab in the Microsoft Defender portal

In our example, the four alerts, representing the four selected events, were linked successfully to a new incident.

In each of the alert pages, you can find the complete information on the event or events in timeline view (if available) and query results view. The full details of an event in the Timeline tab in the Microsoft Defender portal

You can also select the event to open the Inspect record pane. The inspect record details of an event in the Timeline tab in the Microsoft Defender portal

Filter for events added using advanced hunting

You can view which alerts were generated from advanced hunting by filtering the Incidents queue and Alerts queue by Manual detection source.

The manual filtering of Incidents and Alerts queue in the Filters page in the Microsoft Defender portal

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.