You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/incident-queue.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.topic: conceptual
18
18
search.appverid:
19
19
- MOE150
20
20
- MET150
21
-
ms.date: 06/05/2024
21
+
ms.date: 07/02/2024
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
@@ -42,9 +42,12 @@ Select **Most recent incidents and alerts** to toggle the expansion of the top s
42
42
43
43
:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents2.png" alt-text="Screenshot of 24-hour incident graph." lightbox="/defender/media/incidents-queue/incidents-ss-incidents2.png":::
44
44
45
-
Below that, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first. You can choose a different time frame by selecting it from the drop-down at the top.
45
+
Below that, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. You can choose a different time frame by selecting it from the drop-down at the top. Incidents are arranged according to the latest automatic or manual updates made to an incident. You can arrange the incidents by **last update time** column to view incidents according to the latest automatic or manual updates made.
46
46
47
-
The incident queue has customizable columns (select **Customize columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis.
47
+
The incident queue has customizable columns that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis. Select **Customize columns** to perform the following customizations based on your preferred view:
48
+
49
+
- Check/uncheck the columns you want to see in the incident queue.
50
+
- Arrange the order of the columns by dragging them.
48
51
49
52
:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents-3.png" alt-text="Screenshot of Incident page filter and column controls." lightbox="/defender/media/incidents-queue/incidents-ss-incidents-3.png":::
Copy file name to clipboardExpand all lines: defender-xdr/investigate-alerts.md
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ ms.topic: conceptual
22
22
search.appverid:
23
23
- MOE150
24
24
- met150
25
-
ms.date: 06/05/2024
25
+
ms.date: 07/02/2024
26
26
---
27
27
28
28
# Investigate alerts in Microsoft Defender XDR
@@ -46,7 +46,7 @@ The **Alerts queue** shows the current set of alerts. You get to the alerts queu
46
46
47
47
Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Defender for Office 365, Microsoft Sentinel, Defender for Cloud, Defender for Identity, Defender for Cloud Apps, Defender XDR, App Governance, Microsoft Entra ID Protection, and Microsoft Data Loss Prevention appear here.
48
48
49
-
By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
49
+
By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last seven days. The most recent alert is at the top of the list so you can see it first.
50
50
51
51
From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example.
52
52
@@ -64,6 +64,16 @@ You can filter alerts according to these criteria:
64
64
- Automated investigation state
65
65
- Alert subscription IDs
66
66
67
+
An alert can have system tags and/or custom tags with certain color backgrounds. Custom tags use the white background while system tags typically use red or black background colors. System tags identify the following in an incident:
68
+
69
+
- A **type of attack**, like ransomware or credential phishing
70
+
-**Automatic actions**, like automatic investigation and response and automatic attack disruption
71
+
-**Defender Experts** handling an incident
72
+
-**Critical assets** involved in the incident
73
+
74
+
> [!TIP]
75
+
> Microsoft's Security Exposure Management, based on predefined classifications, automatically tags devices, identities, and cloud resources as a **critical asset**. This out-of-the-box capability ensures the protection of an organization’s valuable and most important assets. It also helps security operations teams to prioritize investigation and remediation. Know more about [critical asset management](/security-exposure-management/critical-asset-management).
76
+
67
77
## Required roles for Defender for Office 365 alerts
68
78
69
79
You'll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:
Copy file name to clipboardExpand all lines: defender-xdr/manage-incidents.md
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ ms.topic: conceptual
17
17
search.appverid:
18
18
- MOE150
19
19
- MET150
20
-
ms.date: 06/05/2024
20
+
ms.date: 07/02/2024
21
21
---
22
22
23
23
# Manage incidents in Microsoft Defender
@@ -80,6 +80,16 @@ You can add custom tags to an incident, for example to flag a group of incidents
80
80
81
81
The option to select from a list of previously used and selected tags appear after you start typing.
82
82
83
+
An incident can have system tags and/or custom tags with certain color backgrounds. Custom tags use the white background while system tags typically use red or black background colors. System tags identify the following in an incident:
84
+
85
+
- A **type of attack**, like credential phishing or BEC fraud
86
+
-**Automatic actions**, like automatic investigation and response and automatic attack disruption
87
+
-**Defender Experts** handling an incident
88
+
-**Critical assets** involved in the incident
89
+
90
+
> [!TIP]
91
+
> Microsoft's Security Exposure Management, based on predefined classifications, automatically tags devices, identities, and cloud resources as a **critical asset**. This out-of-the-box capability ensures the protection of an organization’s valuable and most important assets. It also helps security operations teams to prioritize investigation and remediation. Know more about [critical asset management](/security-exposure-management/critical-asset-management).
92
+
83
93
## Assign an incident
84
94
85
95
You can select the **Assign to** box and specify the user account to assign an incident. To reassign an incident, remove the current assignment account by selecting the "x" next to the account name and then select the **Assign to** box. Assigning ownership of an incident assigns the same ownership to all the alerts associated with it.
Copy file name to clipboardExpand all lines: defender-xdr/manage-rbac.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.collection:
12
12
- tier3
13
13
ms.custom:
14
14
ms.topic: overview
15
-
ms.date: 06/13/2024
15
+
ms.date: 07/02/2024
16
16
ms.reviewer:
17
17
search.appverid: met150
18
18
---
@@ -45,7 +45,7 @@ Centralized permissions management is supported for the following solutions:
45
45
|Microsoft Defender XDR|Centralized permissions management for Microsoft Defender XDR experiences.|
46
46
|Microsoft Defender for Endpoint|Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.|
47
47
|Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.|
48
-
|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](/defender-office-365/mdo-portal-permissions) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>lets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by experiences that were previously under Exchange Online RBAC.</li></ul>|
48
+
|Microsoft Defender for Office 365|Full support for all data and actions. </br></br> **Note**: <ul><li>Initially, the Microsoft Defender XDR RBAC model is available only for organizations with Microsoft Defender for Office 365 Plan 2 licenses (trial licenses aren't supported).</li><li>Granular delegated admin privileges (GDAP) aren't supported.</li><li>Exchange Online PowerShell and Security & Compliance PowerShell continue to use [Exchange Online roles](/exchange/permissions-exo/permissions-exo)and [Email & Collaboration roles](/defender-office-365/mdo-portal-permissions). Microsoft Defender XDR Unified RBAC doesn't affect Exchange Online PowerShell or Security & Compliance PowerShell.</li><li>Azure B2B invited guests aren't supported by all experiences that were previously under Exchange Online RBAC.</li></ul>|
49
49
|Microsoft Defender for Identity|Full support for all identity data and actions. </br></br> **Note:** Defender for Identity experiences also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729).|
50
50
|Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.|
51
51
|Microsoft Secure Score|Full support for all Secure Score data from the [Products included in Secure Score](microsoft-secure-score.md#products-included-in-secure-score).|
Copy file name to clipboardExpand all lines: defender-xdr/whats-new.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: defender-xdr
6
6
ms.author: diannegali
7
7
author: diannegali
8
8
ms.localizationpriority: medium
9
-
ms.date: 06/05/2024
9
+
ms.date: 07/02/2024
10
10
manager: dansimp
11
11
audience: ITPro
12
12
ms.collection:
@@ -29,6 +29,14 @@ For more information on what's new with other Microsoft Defender security produc
29
29
30
30
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
31
31
32
+
## July 2024
33
+
34
+
- (Preview) You can now customize columns in the **Incidents** and **Alerts** queues in the Microsoft Defender portal. You can add, remove, reorder columns to display the information you need. For more information, see how to customize columns in the [incident queue](incident-queue.md#incident-queue) and [alert queue](investigate-alerts.md).
35
+
36
+
- (Preview) **Critical assets** are now part of the tags in the incident and alert queues. When a critical asset is involved in an incident or alert, the critical asset tag is displayed in the queues. For more information, see [incident tags](manage-incidents.md#add-incident-tags) and the [alert queue](investigate-alerts.md).
37
+
38
+
- (Preview) Incidents are now arranged according to the latest automatic or manual updates made to an incident. Read about the **last update time** column in the [incident queue](incident-queue.md#incident-queue).
39
+
32
40
## June 2024
33
41
34
42
- (Preview) **[Content distribution through tenant groups in multitenant management](mto-tenantgroups.md)** is now available. Content distribution helps you manage content at scale across tenants in multitenant management in Microsoft Defender XDR. In content distribution, you can create tenant groups to copy existing content, like custom detection rules, from the source tenant to the target tenants you assign during tenant group creation. The content then runs on the target tenant's devices or device groups that you set in the tenant group scope.
0 commit comments