You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: unified-secops-platform/mto-incidents-alerts.md
+22-17Lines changed: 22 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,20 +28,16 @@ Manage incidents & alerts originating from multiple tenants under **Incidents &
28
28
29
29
## View and investigate incidents
30
30
31
-
To view or investigate an incident:
31
+
To view or investigate an incident:
32
32
33
33
1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in Microsoft Defender multitenant management. The **Tenant name** column shows which tenant the incident originates from:
34
34
35
35
:::image type="content" source="media/mto-incidents-alerts/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents page." lightbox="media/mto-incidents-alerts/mto-incidents.png":::
36
36
37
-
2. Select the incident you want to view. A flyout panel opens with the incident details page:
37
+
1. Select the incident you want to view. A flyout opens with the incident details pane, where you can:
38
38
39
-
:::image type="content" source="media/mto-incidents-alerts/mto-incident-details.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents details page." lightbox="media/mto-incidents-alerts/mto-incident-details.png":::
40
-
41
-
3. From the incident details page you can:
42
-
43
-
- Select **Open incident page** to view this incident in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com).
44
-
- Select **Manage incident** to assign the incident, set incident tags, set the incident status, and classify the incident.
39
+
- Select **Open incident page** to view this incident in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com).
40
+
- Select **Manage incident** to assign the incident, set incident tags, set the incident status, and classify the incident.
45
41
46
42
To learn more, see [Investigate incidents](/defender-endpoint/investigate-incidents).
47
43
@@ -54,7 +50,7 @@ To manage incidents across multiple tenants:
54
50
55
51
:::image type="content" source="media/mto-incidents-alerts/mto-manage-incidents.png" alt-text="Screenshot that highlights the manage incidents option on the incidents page in Microsoft Defender multitenant management." lightbox="media/mto-incidents-alerts/mto-manage-incidents.png":::
56
52
57
-
On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.
53
+
On the incidents flyout pane you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.
58
54
59
55
>[!Note]
60
56
> Currently, you can only assign multiple incidents from same tenant.
@@ -69,10 +65,10 @@ To view or investigate an alert:
69
65
70
66
:::image type="content" source="media/mto-incidents-alerts/mto-alerts-details.png" alt-text="Screenshot of alert details page for an alert in Microsoft Defender multitenant management." lightbox="media/mto-incidents-alerts/mto-alerts-details.png":::
71
67
72
-
2. From the alert details page you can:
68
+
1. From the alert details pane you can:
73
69
74
-
- Select actions such as **Open alerts page**, **See in timeline**, and **Tune alert** to view this alert in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com).
75
-
- Select **Manage alert** to assign the alert, set the alert status, and classify the alert.
70
+
- Select actions such as **Open alerts page**, **Move alert to another incident**, and **Tune alert** to view this alert in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com).
71
+
- Select **Manage alert** to assign the alert, set the alert status, and classify the alert.
76
72
77
73
To learn more, see [Investigate alerts](/defender-endpoint/investigate-alerts).
78
74
@@ -81,15 +77,24 @@ To learn more, see [Investigate alerts](/defender-endpoint/investigate-alerts).
81
77
To manage alerts across multiple tenants:
82
78
83
79
1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in Microsoft Defender multitenant management.
84
-
2. Choose the alerts you want to manage from the alerts list and select **Manage alerts**.
80
+
1. Choose the alerts you want to manage from the alerts list and select **Manage alerts**.
85
81
86
82
:::image type="content" source="media/mto-incidents-alerts/mto-manage-alerts.png" alt-text="Screenshot that highlights the manage alerts option for selected alerts in Microsoft Defender multitenant management." lightbox="media/mto-incidents-alerts/mto-manage-alerts.png":::
87
83
88
-
On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously.
84
+
Use the **Manage alerts** pane to set alert status, assign alerts, set classifications, and add comments for multiple alerts simultaneously. While alert status, classifications, and comments can be added across tenants, assigning alerts can only be done for alerts from the same tenant.
85
+
86
+
For more information, see [Manage alerts](/defender-xdr/investigate-alerts#manage-alerts).
87
+
88
+
## Move alerts
89
+
90
+
Move an alert to a different incident to help you better organize and correlate related security events. For example, you might find that multiple alerts are part of the same security breach, and want to include them all in the same incident. This ensures that all relevant information is grouped together, enabling more efficient investigation and response.
91
+
92
+
To move one or more alerts:
93
+
94
+
- On the **Alerts** page, select one or more alerts and then select **Move alerts**
95
+
- On an alert details pane or alert details page, select **Move alert to another incident**
89
96
90
-
> [!Note]
91
-
> Currently, you can only assign multiple alerts from same tenant.
92
-
To learn more about alerts in the Microsoft Defender portal, see [Manage alerts](/defender-endpoint/manage-alerts).
97
+
In the **Move alert to another incident** pane, define whether you want to create a new incident, or use an existing incident. If you choose to use an existing incident, search for the incident by name or ID and add a reason for the change. In all cases, add a comment describing your change before you select **Save**.
Copy file name to clipboardExpand all lines: unified-secops-platform/overview-defender-portal.md
-2Lines changed: 0 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -222,8 +222,6 @@ For more information, see [Microsoft Defender Vulnerability Management](/defende
222
222
223
223
In the **Email & collaboration** section, monitor, investigate, and manage security threats and responses to email and collaboration apps with Microsoft Defender for Office 365.
224
224
225
-
<!--can we get a better screenshot here?-->
226
-
227
225
:::image type="content" source="./media/overview-defender-portal/email-investigations.png" alt-text="Screenshot of the Email Investigations page in the Microsoft Defender portal" lightbox="./media/overview-defender-portal/email-investigations.png":::
0 commit comments