PRACTITIONER GUIDE | INCIDENT RESPONSE
Practitioner GuideUpdated 10 min read

Microsoft 365 Defender Incident Investigation: How to Work an XDR Alert from Triage to Closure

30 days
Advanced Hunting data retention by default
6
Defender product signals correlated into Defender XDR incidents
Attack Story
Start here, not individual alerts -- shows the full kill chain

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The Defender XDR incident queue is where correlated alerts from across your Microsoft security stack land. The challenge for analysts is that an incident may contain 20 individual alerts, automated investigation findings, machine-generated evidence items, and multi-entity timelines -- with the actual attacker activity buried somewhere in the middle. Working an incident systematically means understanding the structure of a Defender XDR incident, knowing where to look for the root cause versus the downstream effects, and using Advanced Hunting to answer specific questions the incident view does not directly surface.

Understand the Incident Structure Before Acting

A Defender XDR incident has five key sections: Incident Overview (severity, first and last activity, MITRE ATT&CK mapping, affected assets), the Attack Story graph (visual timeline of how entities relate to each other, from the initial vector through the attack chain), the Alert list (individual alerts that were correlated into this incident, each from a specific Defender product), the Evidence and Response tab (files, processes, network events, emails, identities, and devices classified as evidence), and the Entities tab (all unique users, devices, IPs, and files involved). Start with the Attack Story graph before looking at individual alerts. The graph shows you the attack chain visually -- the root node on the left is the initial access event, and branches to the right show lateral movement and impact. Understanding the chain before diving into individual alerts prevents the common mistake of investigating a downstream symptom while missing the initial access vector.

Triage: Severity Assessment in Under 5 Minutes

Triage the incident before deep investigation. Three questions to answer: Is this a true positive or a false positive? (Look at the MITRE technique mapped to the highest-severity alert -- is it a technique your environment would legitimately generate?) What is the blast radius? (How many unique devices and user accounts are in the Entities tab? A single-device alert with one user is contained; 15 devices and 3 users means active lateral movement.) Is the attack still in progress? (Look at the Last Activity time. If it is within the last 15 minutes, the attacker may be active. If it is 48 hours ago with no recent activity, it may be a completed incident to investigate forensically.) For containment-first priority: if the incident involves an active, expanding compromise, isolate affected devices via Actions > Isolate Device in the Defender for Endpoint alert before continuing investigation.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Use Advanced Hunting to Fill Evidence Gaps

The incident view shows correlated evidence, but not every relevant event. Use Advanced Hunting (security.microsoft.com > Hunting > Advanced Hunting) to query for events that were not included in the incident correlation. Start with a broad device or user timeline query: DeviceEvents | where DeviceName == 'hostname' and Timestamp > datetime(2026-06-10T00:00:00) | order by Timestamp. Then drill into specific events. For a malicious process: DeviceProcessEvents | where InitiatingProcessFileName == 'suspicious.exe' | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName. For lateral movement via PsExec or SMB: DeviceNetworkEvents | where InitiatingProcessFileName == 'psexesvc.exe' | project Timestamp, DeviceName, RemoteIP, RemotePort. For credential access: IdentityLogonEvents | where AccountName == 'compromised_user' | project Timestamp, LogonType, DeviceName, IPAddress. For email analysis: EmailEvents | where SenderFromAddress == 'attacker@domain.com' | project Timestamp, RecipientEmailAddress, Subject, UrlCount, AttachmentCount.

Review Automated Investigation Results

Defender XDR runs automated investigations (AIR) on high-confidence alerts when enabled. The automated investigation appears in the incident's Investigations tab and shows: what the investigation did, what evidence it collected, what it determined (malicious, clean, unknown), and what remediation actions it recommends or has taken. Review automated investigation results before taking manual remediation actions -- the AIR engine may have already quarantined the malicious file, reversed changes, or isolated the device. If auto-remediation is in alert-only mode, you will see pending actions waiting for your approval. Common pending actions: quarantine a file (approve if malicious, reject if uncertain -- use Advanced Hunting to verify the file hash against VirusTotal first), isolate a device, block a sender, remediate malicious email. Approve pending actions only after you have confirmed the evidence.

Document and Close the Incident

Before closing, document the incident in the Defender XDR incident comments or in your ticketing system: what was the initial access vector, which accounts and devices were compromised, what did the attacker do, what was remediated, what monitoring was added, and whether there is any residual risk. Update the incident classification: True Positive (Malware, Phishing, Compromised Account, etc.), False Positive (Unusual Activity, Legitimate Admin Activity, etc.), or Informational. Correct classification improves Defender XDR's future alert tuning. For true positive incidents: verify remediation completeness by running a final Advanced Hunting query to confirm no further attacker activity after your response actions. Check that all affected users have had passwords reset and sessions revoked (Entra ID > Users > Revoke sessions). For post-incident: if the initial access was phishing, check for other users who received the same email and opened attachments.

The bottom line

Defender XDR incidents are richer than individual product alerts but require understanding the correlation model to use effectively. Start with the Attack Story graph to understand the chain, use Advanced Hunting to fill evidence gaps the correlation missed, review automated investigation results before manual remediation, and document root cause before closing. The 30-day Advanced Hunting retention window means you can go back and query for pre-compromise activity even days after the initial detection.

Frequently asked questions

What is the difference between an alert and an incident in Defender XDR?

An alert is a single detection event from one Defender product (a malicious file detected on a device, a suspicious sign-in from Defender for Identity). An incident is a Defender XDR-generated correlation of multiple alerts that share indicators (same user, same device, similar timing, same attack campaign) into a unified investigation object. One phishing campaign that hits 10 users might generate 40 individual alerts across email, endpoint, and identity products, all correlated into a single incident. Working at the incident level gives you the full picture; working at the individual alert level risks investigating symptoms while missing the attack chain.

How do I know if a Defender XDR alert is a false positive?

Look at the MITRE technique, the process or entity involved, and the broader incident context. A single alert for 'Suspicious PowerShell' may be a false positive if the PowerShell script matches a known software management tool in your environment. Check the Advanced Hunting query behind the alert (click the alert name, then 'Detection logic') -- it shows you exactly what pattern triggered the alert. If the legitimate activity matches that pattern, you can create an exclusion. Add to the incident comment that this was reviewed as a false positive and why, so the next analyst who sees a similar alert has context.

What should I do if I find evidence of an active attack?

Contain first: isolate the affected device from the incident response actions menu. Revoke the compromised account's sessions in Entra ID. Then investigate to understand scope before broad remediation -- if you reset a password before understanding the full lateral movement chain, you may miss compromised accounts you did not know about. Once scope is understood: reset all affected account passwords, revoke all sessions, isolate all affected devices, and confirm no persistence mechanisms (scheduled tasks, registry run keys, new local accounts) remain.

Can I run Advanced Hunting with a read-only security role?

Yes. The Security Reader role in Defender XDR provides read access to the incident queue, alert details, and Advanced Hunting. You can run queries and view results but cannot take response actions (isolate devices, quarantine files, block users). This role is appropriate for SOC L1 analysts who triage and investigate but escalate response to L2. Security Operator adds response capability. Security Administrator adds policy management. Assign roles using Microsoft Entra ID built-in roles.

What is Advanced Hunting in Microsoft Defender XDR and how does it differ from normal alert investigation?

Advanced Hunting is a query-based threat hunting tool that lets analysts write KQL (Kusto Query Language) queries against 30 days of raw telemetry across all Defender XDR data tables (endpoints, email, identity, cloud apps). Standard alert investigation starts from a generated alert and shows the pre-built evidence that triggered it -- you are looking at what Defender decided was notable. Advanced Hunting starts from a hypothesis and searches raw data to confirm or deny it -- you define what you are looking for. Use Advanced Hunting for: hunting for indicators of compromise (IOCs) from threat intelligence across the full fleet after a breach, investigating a specific suspicious behavior that did not generate an alert, proactively searching for attack techniques that your organization's detection rules may not cover, and correlating activity across multiple data tables (joining endpoint process events with email delivery data with identity logon events). The IdentityLogonEvents, DeviceProcessEvents, EmailEvents, and CloudAppEvents tables cover the most common hunting use cases.

How do you triage a Defender XDR incident queue when 20 incidents are open simultaneously and you need to determine which to investigate first?

Sort by severity (Critical first), then filter to incidents where automated investigation status is 'Requires action' -- these have pending containment steps Defender can execute once an analyst approves them. Within Critical incidents, prioritize by entity type: incidents involving user accounts with admin roles, Tier 0 assets (domain controllers, Entra Connect servers), or cloud admin credentials outrank endpoint-only incidents. Check the incident's 'Impacted assets' count: a single-device incident is typically more contained than one spanning five devices and three accounts. For incidents marked 'Active' with no automated investigation started, open the incident and check the alert timeline for the most recent event time -- an attack that stopped two hours ago is lower urgency than one with activity in the last 15 minutes. Use the 'Assign to me' action on the highest-priority incidents before investigation begins so two analysts do not work the same incident simultaneously.

Sources & references

  1. Microsoft: Defender XDR Incident Investigation
  2. Microsoft: Advanced Hunting KQL Reference

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.