Incidents in Microsoft Defender ATP

Applies to:

When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Microsoft Defender ATP will quickly trigger alerts and launch matching automatic investigations.

Microsoft Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.

In this section

Topic Description
View and organize the Incidents queue See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
Manage incidents Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
Investigate incidents See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.