You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/incident-queue.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.topic: concept-article
18
18
search.appverid:
19
19
- MOE150
20
20
- MET150
21
-
ms.date: 06/04/2025
21
+
ms.date: 26/10/2025
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
@@ -40,7 +40,7 @@ Select **Most recent incidents and alerts** to toggle a timeline chart of the nu
40
40
41
41
:::image type="content" source="./media/incidents-queue/most-recent-incidents.png" alt-text="Screenshot of 24-hour incident graph." lightbox="./media/incidents-queue/most-recent-incidents.png":::
42
42
43
-
The incident queue includes Defender Queue Assistant that helps security teams cut through alert noise and focus on the incidents that matter most. By leveraging a new AI-based machine learning prioritization algorithm, the Queue Assistant surfaces the highest-priority incidents, explains the reasoning behind each score, and provides intuitive tools for sorting and filtering the incident queue. The priority score to each incident may be based on Microsoft native alerts, custom detections or third-party signals. The algorithm is trained on real-world anonymized data and considers the following data points when calculating the priority score:
43
+
The incident queue includes Defender Queue Assistant that helps security teams cut through alert noise and focus on the incidents that matter most. Using an AI-based, machine learning prioritization algorithm, the Queue Assistant surfaces the highest-priority incidents, explains the reasoning behind each score, and provides intuitive tools for sorting and filtering the incident queue. The priority score to each incident can be based on Microsoft native alerts, custom detections, or third-party signals. The algorithm is trained on real-world anonymized data and considers the following data points when calculating the priority score:
44
44
+ Attack disruption signals
45
45
+ Threat analytics
46
46
+ Severity
@@ -56,6 +56,9 @@ Incidents are automatically assigned a priority score from 0 to 100, with 100 be
56
56
57
57
:::image type="content" source="./media/incidents-queue/incidents-page.png" alt-text="Screenshot of the Incidents queue in the Microsoft Defender portal." lightbox="./media/incidents-queue/incidents-page.png":::
58
58
59
+
Select the incident row anywhere except the incident name, to display a summary pane with key information about the incident. The pane includes the priority assessment, the factors influencing the priority score, the incident's details, recommended actions, and related threats. Use the up and down arrows at the top of the pane to navigate to the previous or next incident in the incident queue. For more information on investigating the incident, see [Investigate incidents](investigate-incidents.md).
60
+
61
+
:::image type="content" source="./media/investigate-incidents/incident-side-panel.png" alt-text="Selecting an incident in the Microsoft Defender portal" lightbox="./media/investigate-incidents/incident-side-panel.png":::
59
62
60
63
By default, the incident queue show incidents created in the last week. Choose a different time frame by selecting time selector drop-down above the queue.
61
64
@@ -64,7 +67,7 @@ By default, the incident queue show incidents created in the last week. Choose a
64
67
65
68
The **total number of incidents** in the queue is displayed next to the time selector. The number of incidents varies depending on the filters in use. You can search for incidents by name or incident ID
66
69
67
-
Select **Customize columns** to select columns displayed in the queue. Check or uncheck the columns you want to see in the incident queue. Arrange the order of the columns by dragging them upa nd down.
70
+
Select **Customize columns** to select columns displayed in the queue. Check or uncheck the columns you want to see in the incident queue. Arrange the order of the columns by dragging them up and down.
68
71
69
72
:::image type="content" source="./media/incidents-queue/incident-toolbar.png" alt-text="Screenshot of Incident page filter and column controls." lightbox="./media/incidents-queue/incident-toolbar.png":::
70
73
@@ -87,11 +90,11 @@ The incident queue also provides multiple filtering options, that when applied,
The **Filters** list above the incident queue shows the current filters currently applied to the queue. Select **Add filter** to apply additional filters to limit the set of incidents shown.
93
+
The **Filters** list above the incident queue shows the current filters currently applied to the queue. Select **Add filter** to apply more filters to limit the set of incidents shown.
91
94
92
95
:::image type="content" source="./media/incidents-queue/incident-filters-small.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal." lightbox="./media/incidents-queue/incident-filters.png":::
93
96
94
-
Select the filters you want to use, then select **Add** The selected filters are shown along with the existing applied filters. Select the new filter to specify its conditions. For example, if you chose the "Service/detection sources" filter, select it to choose the sources by which to filter the list.
97
+
Select the filters you want to use, then select **Add**. The selected filters are shown along with the existing applied filters. Select the new filter to specify its conditions. For example, if you chose the "Service/detection sources" filter, select it to choose the sources by which to filter the list.
95
98
96
99
You can remove a filter by selecting the **X** on the filter name in the filters list.
Copy file name to clipboardExpand all lines: defender-xdr/investigate-incidents.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,14 +34,14 @@ Within an incident, you analyze the alerts, understand what they mean, and colla
34
34
35
35
Before diving into the details, take a look at the properties and the entire attack story of the incident.
36
36
37
-
You can start by selecting the incident from by selecting on the row, but not selecting the incident name. A summary pane opens with key information about the incident, including the priority assessment, the factors influencing the priority score, the incident's details, recommended actions, and related threats. Use the up and down arrows at the top of the pane to navigate to the previous or next incident in the incident queue.
37
+
You can start by selecting the incident row, but not selecting the incident name. A summary pane opens with key information about the incident, including the priority assessment, the factors influencing the priority score, the incident's details, recommended actions, and related threats. Use the up and down arrows at the top of the pane to navigate to the previous or next incident in the incident queue.
38
38
39
39
:::image type="content" source="./media/investigate-incidents/incident-side-panel.png" alt-text="Selecting an incident in the Microsoft Defender portal" lightbox="./media/investigate-incidents/incident-side-panel.png":::
40
40
41
41
From here, you can select **Open incident page**. This opens the main page for the incident where you'll find the full attack story information and tabs for alerts, devices, users, investigations, and evidence. You can also open the main page for an incident by selecting the incident name from the incident queue.
42
42
43
43
> [!NOTE]
44
-
> Users with provisioned access to Microsoft Security Copilot will see the Copilot pane on the right side of the screen when they open an incident. Copilot provides real-time insights and recommendations to help you investigate and respond to incidents. For more information, see [Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md).
44
+
> Users with provisioned access to Microsoft Security Copilot see the Copilot pane on the right side of the screen when they open an incident. Copilot provides real-time insights and recommendations to help you investigate and respond to incidents. For more information, see [Microsoft Copilot in Microsoft Defender](security-copilot-in-microsoft-365-defender.md).
45
45
46
46
## Attack story
47
47
@@ -62,7 +62,7 @@ The incident alert page has these sections:
62
62
63
63
- Alert properties in the right pane (state, details, description, and others)
64
64
65
-
Note that not every alert will have all of the listed subsections in the **Alert story** section.
65
+
Not every alert has all of the listed subsections in the **Alert story** section.
66
66
67
67
The graph shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went. It connects the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
68
68
@@ -76,7 +76,7 @@ From the graph, you can:
76
76
77
77
:::image type="content" source="./media/investigate-incidents/review-entity-details-attack-story.gif" alt-text="Screenshot that shows the review of the entity details on the attack story graph page.":::
78
78
79
-
- Highlight the alerts based on the entity to which they are related.
79
+
- Highlight the alerts based on the entity to which they're related.
80
80
81
81
- Hunt for entity information of a device, file, IP address, URL, user, email, mailbox, or cloud resource.
82
82
@@ -90,7 +90,7 @@ The ***go hunt*** action takes advantage of the [advanced hunting](advanced-hunt
90
90
91
91
:::image type="content" source="./media/investigate-incidents/fig1-gohunt-attackstory.png" alt-text="Selecting the go hunt option on a device in an attack story" lightbox="./media/investigate-incidents/fig1-gohunt-attackstory.png":::
92
92
93
-
The resulting logs or alerts can be linked to an incident by selecting a results and then selecting *Link to incident*.
93
+
The resulting logs or alerts can be linked to an incident by selecting a result and then selecting *Link to incident*.
94
94
95
95
:::image type="content" source="./media/investigate-incidents/fig2-gohunt-attackstory.png" alt-text="Highlighting the link to incident option in go hunt query results" lightbox="./media/investigate-incidents/fig2-gohunt-attackstory.png":::
96
96
@@ -112,7 +112,7 @@ The following prerequisites are required to use the blast radius graph:
112
112
+ You must be onboarded to Microsoft Sentinel data lake. For more information, see [Onboarding to Microsoft Sentinel data lake and graph](/azure/sentinel/datalake/sentinel-lake-onboarding).
113
113
+ Exposure management (read) permission or higher. For more information, see [Manage permissions with Microsoft Defender XDR Unified role-based access control (RBAC)](/security-exposure-management/prerequisites#manage-permissions-with-microsoft-defender-xdr-unified-role-based-access-control-rbac).
114
114
> [!IMPORTANT]
115
-
> Attack paths and blast radius features are calculated based on the organization’s available environment data. The value in the graph increases as more data is available for its calculation. If no further workloads are enabled or critical assets aren't fully defined,blast radius graphs won't fully represent your environmental risks. For more information on defining critical assets, see [Review and classify critical assets](/security-exposure-management/classify-critical-assets).
115
+
> Attack paths and blast radius features are calculated based on the organization’s available environment data. The value in the graph increases as more data is available for its calculation. If no further workloads are enabled or critical assets aren't fully defined,blast radius graphs won't fully represent your environmental risks. For more information on defining critical assets, see [Review and classify critical assets](/security-exposure-management/classify-critical-assets).
116
116
117
117
The following table summarizes the blast radius analysis use cases for different user roles:
0 commit comments