You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/incident-queue.md
+6-3Lines changed: 6 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.topic: conceptual
18
18
search.appverid:
19
19
- MOE150
20
20
- MET150
21
-
ms.date: 06/05/2024
21
+
ms.date: 07/02/2024
22
22
appliesto:
23
23
- Microsoft Defender XDR
24
24
- Microsoft Sentinel in the Microsoft Defender portal
@@ -42,9 +42,12 @@ Select **Most recent incidents and alerts** to toggle the expansion of the top s
42
42
43
43
:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents2.png" alt-text="Screenshot of 24-hour incident graph." lightbox="/defender/media/incidents-queue/incidents-ss-incidents2.png":::
44
44
45
-
Below that, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first. You can choose a different time frame by selecting it from the drop-down at the top.
45
+
Below that, the incident queue in the Microsoft Defender portal displays incidents seen in the last six months. You can choose a different time frame by selecting it from the drop-down at the top. Incidents are arranged according to the latest automatic or manual updates made to an incident. You can arrange the incidents by **last update time** column to view incidents according to the latest automatic or manual updates made.
46
46
47
-
The incident queue has customizable columns (select **Customize columns**) that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis.
47
+
The incident queue has customizable columns that give you visibility into different characteristics of the incident or the impacted entities. This filtering helps you make an informed decision regarding the prioritization of incidents for analysis. Select **Customize columns** to perform the following customizations based on your preferred view:
48
+
49
+
- Check/uncheck the columns you want to see in the incident queue.
50
+
- Arrange the order of the columns by dragging them.
48
51
49
52
:::image type="content" source="/defender/media/incidents-queue/incidents-ss-incidents-3.png" alt-text="Screenshot of Incident page filter and column controls." lightbox="/defender/media/incidents-queue/incidents-ss-incidents-3.png":::
Copy file name to clipboardExpand all lines: defender-xdr/investigate-alerts.md
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ ms.topic: conceptual
22
22
search.appverid:
23
23
- MOE150
24
24
- met150
25
-
ms.date: 06/05/2024
25
+
ms.date: 07/02/2024
26
26
---
27
27
28
28
# Investigate alerts in Microsoft Defender XDR
@@ -46,7 +46,7 @@ The **Alerts queue** shows the current set of alerts. You get to the alerts queu
46
46
47
47
Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Defender for Office 365, Microsoft Sentinel, Defender for Cloud, Defender for Identity, Defender for Cloud Apps, Defender XDR, App Governance, Microsoft Entra ID Protection, and Microsoft Data Loss Prevention appear here.
48
48
49
-
By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
49
+
By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last seven days. The most recent alert is at the top of the list so you can see it first.
50
50
51
51
From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example.
52
52
@@ -64,6 +64,16 @@ You can filter alerts according to these criteria:
64
64
- Automated investigation state
65
65
- Alert subscription IDs
66
66
67
+
An alert can have system tags and/or custom tags with certain color backgrounds. Custom tags use the white background while system tags typically use red or black background colors. System tags identify the following in an incident:
68
+
69
+
- A **type of attack**, like ransomware or credential phishing
70
+
-**Automatic actions**, like automatic investigation and response and automatic attack disruption
71
+
-**Defender Experts** handling an incident
72
+
-**Critical assets** involved in the incident
73
+
74
+
> [!TIP]
75
+
> Microsoft's Security Exposure Management, based on predefined classifications, automatically tags devices, identities, and cloud resources as a **critical asset**. This out-of-the-box capability ensures the protection of an organization’s valuable and most important assets. It also helps security operations teams to prioritize investigation and remediation. Know more about [critical asset management](/security-exposure-management/critical-asset-management).
76
+
67
77
## Required roles for Defender for Office 365 alerts
68
78
69
79
You'll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:
Copy file name to clipboardExpand all lines: defender-xdr/manage-incidents.md
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ ms.topic: conceptual
17
17
search.appverid:
18
18
- MOE150
19
19
- MET150
20
-
ms.date: 06/05/2024
20
+
ms.date: 07/02/2024
21
21
---
22
22
23
23
# Manage incidents in Microsoft Defender
@@ -80,6 +80,16 @@ You can add custom tags to an incident, for example to flag a group of incidents
80
80
81
81
The option to select from a list of previously used and selected tags appear after you start typing.
82
82
83
+
An incident can have system tags and/or custom tags with certain color backgrounds. Custom tags use the white background while system tags typically use red or black background colors. System tags identify the following in an incident:
84
+
85
+
- A **type of attack**, like credential phishing or BEC fraud
86
+
-**Automatic actions**, like automatic investigation and response and automatic attack disruption
87
+
-**Defender Experts** handling an incident
88
+
-**Critical assets** involved in the incident
89
+
90
+
> [!TIP]
91
+
> Microsoft's Security Exposure Management, based on predefined classifications, automatically tags devices, identities, and cloud resources as a **critical asset**. This out-of-the-box capability ensures the protection of an organization’s valuable and most important assets. It also helps security operations teams to prioritize investigation and remediation. Know more about [critical asset management](/security-exposure-management/critical-asset-management).
92
+
83
93
## Assign an incident
84
94
85
95
You can select the **Assign to** box and specify the user account to assign an incident. To reassign an incident, remove the current assignment account by selecting the "x" next to the account name and then select the **Assign to** box. Assigning ownership of an incident assigns the same ownership to all the alerts associated with it.
Copy file name to clipboardExpand all lines: defender-xdr/whats-new.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ ms.service: defender-xdr
6
6
ms.author: diannegali
7
7
author: diannegali
8
8
ms.localizationpriority: medium
9
-
ms.date: 06/05/2024
9
+
ms.date: 07/02/2024
10
10
manager: dansimp
11
11
audience: ITPro
12
12
ms.collection:
@@ -29,6 +29,14 @@ For more information on what's new with other Microsoft Defender security produc
29
29
30
30
You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
31
31
32
+
## July 2024
33
+
34
+
- (Preview) You can now customize columns in the **Incidents** and **Alerts** queues in the Microsoft Defender portal. You can add, remove, reorder columns to display the information you need. For more information, see how to customize columns in the [incident queue](incident-queue.md#incident-queue) and [alert queue](investigate-alerts.md).
35
+
36
+
- (Preview) **Critical assets** are now part of the tags in the incident and alert queues. When a critical asset is involved in an incident or alert, the critical asset tag is displayed in the queues. For more information, see [incident tags](manage-incidents.md#add-incident-tags) and the [alert queue](investigate-alerts.md).
37
+
38
+
- (Preview) Incidents are now arranged according to the latest automatic or manual updates made to an incident. Read about the **last update time** column in the [incident queue](incident-queue.md#incident-queue).
39
+
32
40
## June 2024
33
41
34
42
- (Preview) **[Content distribution through tenant groups in multitenant management](mto-tenantgroups.md)** is now available. Content distribution helps you manage content at scale across tenants in multitenant management in Microsoft Defender XDR. In content distribution, you can create tenant groups to copy existing content, like custom detection rules, from the source tenant to the target tenants you assign during tenant group creation. The content then runs on the target tenant's devices or device groups that you set in the tenant group scope.
0 commit comments