Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In the Microsoft Defender portal, you can respond to security incidents that are collections of related alerts and tell the full story of an attack.
This article provides a set of steps that you can follow to investigate, analyze, and resolve security incidents in the Microsoft Defender portal, and also maps these steps to your security team's experience level and role.
Incident response workflow example in the Microsoft Defender portal
Here's a workflow example for responding to incidents in the Microsoft Defender portal.
On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
- Triage to determining the highest priority incidents through filtering and sorting of the incident queue.
- Manage incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
You can use Microsoft Sentinel automation rules to automatically triage and manage (and even respond to) some incidents as they're created, removing the easiest-to-handle incidents from taking up space in your queue.
Consider these steps for your own incident response workflow:
| Stage | Steps |
|---|---|
| For each incident, begin an attack and alert investigation and analysis. | - View the attack story of the incident to understand its scope, severity, detection source, and which asset entities are affected. - Begin analyzing the alerts to understand their origin, scope, and severity with the alert story within the incident. - As needed, gather information on impacted devices, users, and mailboxes with the graph. Select any entity to open a flyout with all the details. Follow through to the entity page for more insights. - See how Microsoft Defender XDR has automatically resolved some alerts with the Investigations tab. - As needed, use information in the data set for the incident for more information with the Evidence and Response tab. |
| After or during your analysis, perform containment to reduce any additional impact of the attack and eradication of the security threat. | For example,- Disable compromised users - Isolate impacted devices - Block hostile IP addresses. |
| As much as possible, recover from the attack by restoring your tenant resources to the state they were in before the incident. | |
| Resolve the incident and document your findings. | Take time for post-incident learning to: - Understand the type of the attack and its impact. - Research the attack in Threat Analytics and the security community for a security attack trend. - Recall the workflow you used to resolve the incident and update your standard workflows, processes, policies, and playbooks as needed. - Determine whether changes in your security configuration are needed and implement them. |
If you're new to security analysis, see the introduction to responding to your first incident for additional information and to step through an example incident.
For more information about incident response across Microsoft products, see incident response overview.
Plan initial incident management tasks
Experience level
Follow this table for your level of experience with security analysis and incident response.
| Level | Steps |
|---|---|
| New | - See the Respond to your first incident walkthrough to get a guided tour of a typical process of analysis, remediation, and post-incident review in the Microsoft Defender portal with an example attack. - See which incidents should be prioritized based on severity and other factors. - Manage incidents, which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. |
| Experienced | - Get started with the incident queue from the Incidents page of the Microsoft Defender portal. From here you can: - See which incidents should be prioritized based on severity and other factors. - Manage incidents, which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. - Perform investigations of incidents. - Track and respond to emerging threats with threat analytics. - Proactively hunt for threats with advanced threat hunting. - See these incident response playbooks for detailed guidance for phishing, password spray, and app consent grant attacks. |
Security team role
Follow this table based on your security team role.
| Role | Steps |
|---|---|
| Incident responder (Tier 1) | Get started with the incident queue from the Incidents page of the Microsoft Defender portal. From here you can: - See which incidents should be prioritized based on severity and other factors. - Manage incidents, which includes renaming, assigning, classifying, and adding tags and comments based on your incident management workflow. |
| Security investigator or analyst (Tier 2) | - Perform investigations of incidents from the Incidents page of the Microsoft Defender portal. - See these incident response playbooks for detailed guidance for phishing, password spray, and app consent grant attacks. |
| Advanced security analyst or threat hunter (Tier 3) | - Perform investigations of incidents from the Incidents page of the Microsoft Defender portal. - Track and respond to emerging threats with threat analytics. - Proactively hunt for threats with advanced threat hunting. - See these incident response playbooks for detailed guidance for phishing, password spray, and app consent grant attacks. |
| SOC manager | See how to integrate Microsoft Defender XDR into your Security Operations Center (SOC). |
Related items
To learn more about alert correlation and incident merging in the Defender portal, see Alerts, incidents, and correlation in Microsoft Defender XDR.