Incidents
Security incidents correlate related alerts into a single investigation view. Microsoft 365 Defender automatically groups alerts that are part of the same attack, providing context and reducing alert fatigue.
Note: Incidents combine alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single timeline. Investigate the full attack story in one place.
Incident Dashboard
- 3 — Active - High
- 8 — Active - Medium
- 15 — In Progress
- 142 — Resolved (30 days)
Incident List
| Column | Description |
|---|---|
| Incident ID | Unique identifier |
| Incident Name | Auto-generated or custom name |
| Severity | High, Medium, Low, Informational |
| Status | Active, In Progress, Resolved |
| Alerts | Number of correlated alerts |
| Entities | Users, devices, mailboxes involved |
| Categories | Attack categories (Malware, Phishing, etc.) |
| First Activity | When incident started |
| Last Activity | Most recent related activity |
| Assigned To | Analyst handling incident |
Incident Categories
- Malware — Ransomware, trojans, viruses, worms detected on endpoints
- Phishing — Credential harvesting, malicious emails, fake login pages
- Credential Theft — Password attacks, stolen credentials, identity compromise
- Lateral Movement — Attackers moving between systems in the network
- Persistence — Attackers establishing foothold for continued access
- Data Exfiltration — Unauthorized data transfer outside organization
Incident Details
Each incident provides comprehensive investigation context:
Attack Story
Visual timeline showing how the attack progressed. See initial compromise, lateral movement, and impact across all affected entities.
Alerts
All correlated alerts with full details. Understand each detection that contributed to the incident.
Assets
Affected users, devices, mailboxes, and applications. Quick access to entity details and remediation actions.
Evidence
Files, processes, registry keys, network connections, and other artifacts collected during investigation.
Graph Investigation
Visual graph showing relationships between entities. Understand how the attack spread through your environment.
Incident Response
- Triage — Review incident summary, severity, and affected scope. Assign to analyst.
- Investigate — Analyze attack story, review alerts, examine evidence. Determine full scope.
- Contain — Isolate affected devices, block compromised accounts, quarantine malware.
- Remediate — Remove malware, reset credentials, patch vulnerabilities, clean systems.
- Recover — Restore services, re-enable accounts, verify systems are clean.
- Post-Incident — Document lessons learned, improve defenses, update procedures.
Response Actions
Device Actions
- Isolate device from network
- Run full antivirus scan
- Collect investigation package
- Restrict app execution
- Initiate live response session
User Actions
- Reset password
- Revoke all sessions
- Block sign-in
- Require MFA re-registration
- Confirm compromised
Email Actions
- Soft delete email
- Hard delete email
- Move to junk
- Block sender
- Submit for analysis
File Actions
- Quarantine file
- Block file (hash)
- Download file for analysis
- Add to allow list
Automated Investigation
Microsoft 365 Defender can automatically investigate and remediate incidents:
Auto Investigation
System automatically expands investigation scope, collects evidence, and analyzes entities related to initial alerts.
Pending Actions
Suggested remediation actions await analyst approval before execution. Review and approve recommended actions.
Auto Remediation
If configured, system can automatically remediate threats like quarantining malware or blocking malicious URLs.
API Reference
GET /api/security/incidents— List security incidentsGET /api/security/incidents/:id— Get incident detailsGET /api/security/incidents/:id/alerts— List alerts in incidentPATCH /api/security/incidents/:id— Update incident status/assignmentPOST /api/security/incidents/:id/comments— Add investigation notes