Incidents queue in Windows Defender ATP

Applies to:


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations.

Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.

In this section

Topic Description
View and organize the Incidents queue See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
Manage incidents Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
Investigate incidents See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.