What is the difference between an alert and an incident in Defender for Endpoint?

An alert is a single security detection, such as a suspicious file execution or network connection. An incident is a collection of related alerts that together represent a potential attack. Defender automatically correlates alerts into incidents based on shared entities like devices, users, or attack techniques, giving analysts a comprehensive view of an attack campaign.

How do I prioritize which incidents to investigate first?

Prioritize based on incident severity (High, Medium, Low), affected assets (critical servers, executive devices), and incident status (new vs. in progress). High-severity incidents on critical assets should be investigated immediately. Use the incident queue filters to sort by these criteria and focus on incidents that pose the greatest risk to your organization.

Can Defender for Endpoint automatically remediate threats?

Yes, Automated Investigation and Remediation (AIR) can automatically analyze alerts and take remediation actions such as quarantining files, stopping processes, and removing persistence mechanisms. Configure automation levels from Full (automatic remediation) to Semi-automatic (approval required) based on your risk tolerance and compliance requirements.

How long is investigation data retained in Defender for Endpoint?

Device timeline data and raw events are retained for 180 days by default. Advanced hunting data is available for 30 days. Alerts and incidents can be retained longer based on your Microsoft 365 retention policies. For compliance requirements, export important investigation data to long-term storage or your SIEM.

How to Investigate Security Incidents in Microsoft Defender for Endpoint

Effective incident investigation is critical for understanding the scope of an attack, containing threats, and preventing recurrence. Microsoft Defender for Endpoint provides powerful investigation tools including incident correlation, device timelines, and advanced hunting. This guide walks through the complete incident investigation workflow.

Prerequisites

Before investigating incidents, ensure you have:

Security Reader role (minimum) or Security Operator role (for taking actions)
Familiarity with common attack techniques (MITRE ATT&CK framework)
Access to the Microsoft Defender portal
Understanding of your organization's critical assets and normal behavior

Understanding the Investigation Workflow

Alert Triggered → Incident Created → Triage → Investigation → Containment → Remediation → Post-Incident Review

Each phase has specific objectives:

Phase	Objective	Key Actions
Triage	Assess severity and validity	Review alert details, check false positive
Investigation	Understand scope and impact	Analyze timeline, trace attack path
Containment	Stop active threats	Isolate device, block indicators
Remediation	Remove threat artifacts	Quarantine files, remediate vulnerabilities
Review	Learn and improve	Document findings, update detections

Step 1: Access the Incident Queue

Sign in to the Microsoft Defender portal
Navigate to Incidents & alerts > Incidents
Review the incident queue showing:
- Incident name and ID
- Severity level
- Status (New, In Progress, Resolved)
- Affected devices and users
- Alert count

Filter Incidents Effectively

Use filters to focus on priority items:

Severity: High, Medium, Low, Informational
Status: New (unassigned), In Progress (being investigated)
Assigned to: Filter by analyst or unassigned
Device group: Critical servers, executive devices, etc.
Service source: Defender for Endpoint, Defender for Identity, etc.

Step 2: Perform Initial Triage

Assess the Incident

Click on an incident to open the incident page:

Review the incident summary:
- Attack story visualization
- Affected entities (devices, users, mailboxes)
- Related alerts with timestamps
Check incident classification:
- True Positive: Confirmed malicious activity
- False Positive: Benign activity incorrectly flagged
- Informational: Expected activity, awareness only
Evaluate business impact:
- Is the affected device critical?
- Is the user privileged (admin, executive)?
- Are sensitive systems or data at risk?

Quick Triage Checklist

Before deep investigation, verify:

Is this a known false positive pattern?
Is the affected device in scope (managed, production)?
Are there related incidents to correlate?
What is the latest alert timestamp (ongoing vs. historical)?

Assign and Update Status

Click Manage incident
Set Status to "In Progress"
Assign to yourself or team member
Add Tags for categorization (e.g., "Ransomware", "Phishing")
Adjust Classification if initial assessment differs

Step 3: Analyze the Attack Story

Understanding the Attack Graph

The Attack story tab shows a visual timeline:

Nodes: Entities (devices, users, files, processes)
Edges: Relationships and actions between entities
Timeline: Chronological sequence of events

Look for:

Initial access point (how did the attack start?)
Lateral movement (did it spread to other devices?)
Actions on objectives (data exfiltration, encryption?)

Each incident contains correlated alerts:

Click the Alerts tab
Review each alert's:
- Detection source: AV, EDR, cloud, network
- MITRE ATT&CK technique: Mapped attack tactic
- Evidence: Files, processes, network connections
Click into individual alerts for detailed evidence

Step 4: Investigate the Device Timeline

The device timeline is your primary investigation tool.

Access the Timeline

From the incident, click on an affected Device
Select the Timeline tab
Filter by time range around the incident

Timeline Event Types

Event Type	Icon	Description
Process	Gear	Process creation, command line
File	Document	File creation, modification, deletion
Network	Globe	Network connections, DNS queries
Registry	Database	Registry key changes
User	Person	User logon, privilege escalation
Alert	Bell	Security alerts triggered

Key Investigation Queries

Look for these suspicious patterns:

Suspicious Process Trees:

1. Parent: outlook.exe
   └── Child: cmd.exe
       └── Child: powershell.exe -enc [Base64]

This indicates a phishing email spawning malicious scripts.

Unusual Network Connections:

Connections to rare destinations
Large data transfers outbound
Connections on non-standard ports
Beaconing patterns (regular interval connections)

Persistence Mechanisms:

Registry Run key modifications
Scheduled task creation
Service installation
Startup folder additions

Use Advanced Filters

Click Filters on the timeline
Select specific event types:
- Process create for execution analysis
- File create for dropped files
- Network connections for C2 communication
Search for specific filenames, hashes, or IPs

Step 5: Perform Advanced Hunting

Use KQL queries for deeper investigation.

Access Advanced Hunting

Go to Hunting > Advanced hunting
Use pre-built queries or write custom ones
Time range defaults to 30 days

Common Investigation Queries

Find all processes from a suspicious parent:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine

Check for lateral movement:

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where DeviceName == "affected-device"
| where RemotePort in (445, 135, 5985, 3389)
| summarize ConnectionCount = count() by RemoteIP, RemotePort
| order by ConnectionCount desc

Find file modifications by hash:

DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 == "suspicious-file-hash-here"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType

Identify persistence:

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey contains "Run" or RegistryKey contains "RunOnce"
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

Step 6: Contain the Threat

Take immediate action to stop active threats.

Isolate the Device

Network isolation prevents lateral movement while maintaining Defender connectivity:

On the device page, click ... menu
Select Isolate device
Choose isolation type:
- Full isolation: Block all network (except Defender)
- Selective isolation: Allow specific apps
Add a comment and confirm
Release isolation after remediation

Block Indicators

Add malicious indicators to block across all devices:

Go to Settings > Endpoints > Indicators
Click Add indicator
Add:
- File hashes: SHA256, SHA1, MD5
- IP addresses: C2 servers
- URLs/Domains: Malicious sites
Set action: Block and remediate
Add indicator context and confirm

Stop and Quarantine

For active malware:

On the device page, use Live Response or
From an alert, click Stop and quarantine file
Verify file is quarantined in timeline

Step 7: Remediate

Remove all threat artifacts from affected systems.

Automated Remediation

If enabled, Automated Investigation and Remediation (AIR) handles:

View Investigation tab on the incident
Review automated actions taken:
- Files quarantined
- Processes stopped
- Persistence removed
Approve pending actions if in semi-automatic mode

Manual Remediation Checklist

Quarantine malicious files
Stop malicious processes
Remove persistence mechanisms
Reset compromised credentials
Patch exploited vulnerabilities
Clear browser cached credentials
Review and restore modified system files

Using Live Response

For hands-on remediation:

Start a Live Response session
Run remediation commands:

# Remove malicious file
Remove-Item -Path "C:\Malware\badfile.exe" -Force

# Stop malicious process
Stop-Process -Name "malicious" -Force

# Remove registry persistence
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MalwareKey"

# Remove scheduled task
Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false

Step 8: Document and Close

Complete Incident Documentation

Click Manage incident
Set Classification:
- True Positive: Confirmed threat
- False Positive: Benign, update detection
- Informational: Expected activity
Set Determination:
- Malware, Phishing, Unwanted software, etc.
Add detailed Comments documenting:
- Investigation findings
- Root cause
- Actions taken
- Recommendations
Change Status to "Resolved"

Post-Incident Actions

Update detection rules to prevent recurrence
Add new indicators to blocklists
Document lessons learned
Brief stakeholders if significant
Schedule follow-up vulnerability remediation

Best Practices

Investigation Tips

Start with high-confidence alerts: Focus on clearly malicious activity first
Work backwards: Start from the alert and trace to initial access
Document everything: Notes help when revisiting or handing off
Use multiple data sources: Correlate Defender data with SIEM, network logs
Know your environment: Understand what's normal to spot anomalies

Common Mistakes to Avoid

Isolating devices before collecting volatile evidence
Jumping to remediation without understanding full scope
Closing incidents without confirming remediation success
Ignoring low-severity alerts that may be part of larger campaign

Investigation Playbooks by Alert Type

Suspicious PowerShell

Check command line for encoded content
Decode Base64 if present
Trace parent process to find initial access
Look for dropped files or network connections
Check for persistence created

Credential Dumping

Identify the tool used (mimikatz, etc.)
Determine compromised accounts
Check for lateral movement using stolen creds
Force password reset for affected accounts
Enable additional MFA protections

Ransomware

Immediately isolate affected devices
Identify ransomware variant and encryption scope
Check for data exfiltration before encryption
Block C2 infrastructure across environment
Assess backup integrity and recovery options

Next Steps

After mastering investigations:

Configure Attack Surface Reduction rules to prevent attacks
Learn Microsoft Sentinel for advanced SIEM correlation
Develop custom detection rules for your environment
Build automated playbooks for common incident types

Need expert incident response support? Inventive HQ provides 24/7 incident response services and security operations center capabilities. Contact us for rapid response when threats strike.