You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/manage-incidents.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,40 +38,42 @@ Selecting an incident from the **Incidents queue** brings up the **Incident mana
38
38
You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
39
39
40
40
> [!TIP]
41
-
> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
41
+
> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.
42
42
>
43
43
> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
44
44
>
45
-
> Incidents that existed prior the rollout of automatic incident naming will retain their names.
45
+
> Incidents that existed prior to the rollout of automatic incident naming retain their names.
If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
51
+
If an incident hasn't been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
52
52
53
53
## Set status and classification
54
54
### Incident status
55
55
You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
56
56
57
-
For example, your SOC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
57
+
For example, your SOC analyst can review the urgent **Active** incidents for the day, and decide to assign them to their self for investigation.
58
58
59
-
Alternatively, your SOC analyst might set the incident as **Resolved** if the incident has been remediated.
59
+
Alternatively, your SOC analyst might set the incident as **Resolved** if the incident was remediated.
60
60
61
61
### Classification
62
62
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
63
63
64
64
### Add comments
65
65
You can add comments and view historical events about an incident to see previous changes made to it.
66
66
67
-
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
67
+
Whenever a change or comment is made to an alert, it's recorded in the Comments and history section.
68
68
69
69
Added comments instantly appear on the pane.
70
70
71
71
72
72
73
-
## Related topics
73
+
## Related articles
74
+
74
75
-[Incidents queue](view-incidents-queue.md)
75
76
-[View and organize the Incidents queue](view-incidents-queue.md)
0 commit comments