Introducing AI-powered incident prioritization in Microsoft Defender

Every SOC analyst faces this challenge: multiple incidents, same severity, and different sources. When everything looks equally urgent, the real question becomes what do you investigate first? And how do you address it consistently across shifts, analysts, and tool stacks?

Security teams don’t struggle because they lack alerts—they struggle because they have too many, arriving faster than humans can triage. Microsoft Defender brings Microsoft Defender XDR and Microsoft Sentinel signals together into correlated incidents, which is exactly what you want for end-to-end visibility. But it also means your incident queue can become the bottleneck.

The goal of the incident queue experience is simple—to turn a high-volume stream of incidents across devices, identities, mailboxes, and cloud resources into a prioritized, explainable worklist so analysts can act faster with confidence.

Explainable ML-driven prioritization

Microsoft Defender aggregates related alerts and automated investigations into an incident. That correlation matters because some activity is only clearly malicious when you connect the dots across multiple products and telemetry sources. Instead of chasing isolated alerts, analysts get the broader narrative: what happened, what it touched, and how it progressed.

To help teams act on that story quickly, the incident queue includes AI-powered incident prioritization (see Figure 1). It applies a machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and—crucially—explaining the key factors behind the ranking. That explainability is what turns a score into something analysts can trust and use to drive consistent triage decisions.

This prioritization is designed to work across the signals you already depend on:

• Microsoft native alerts
• Custom detections
• Third-party alerts

When calculating priority, the model considers high-signal inputs such as:

• Attack disruption signals
• Threat analytics context
• Severity
• Signal-to-noise characteristics
• MITRE ATT&CK techniques
• Asset criticality
• Alert types and rarity
• High-profile threats (like ransomware and nation-state activity)

A simple visual language for urgency. To make the queue scannable at a glance, score ranges are color-coded:

• Red: Top priority (> 85%)
• Orange: Medium priority (15–85%)
• Gray: Low priority (< 15%)

This makes it easy to focus immediately on the highest-impact work, while still keeping medium/low priority incidents visible for coverage and hygiene.

Figure 1. Select the incident row anywhere except the incident name, to display a summary pane with key information about why this incident was prioritized.

Built for analyst flow, not just ranking. Selecting an incident row opens a summary pane that keeps analysts in the moment of triage. It includes:

• The priority assessment
• The factors influencing the priority score
• Key incident details
• Recommended actions
• Related threats

You can navigate up/down through incidents directly from this pane, which helps analysts stay in flow instead of bouncing between pages.

By default, the queue shows incidents from the last week, but the time selector above the queue lets you switch time frames—for shift handoffs, retrospectives, validation after detection changes, or responding to a specific time-bound campaign.

Figure 2. This pane includes the priority assessment, the factors influencing the priority score, the incident's details, recommended actions, and related threats. Use the up and down arrows at the top of the pane to navigate to the previous or next incident in the incident queue.

The intuition behind incident prioritization

A helpful way to think about incident queue prioritization is: ranking incidents is a lot like ranking search results.

In search, you have a large set of documents and you need to decide which ones are most relevant to what the user cares about. In a SOC, you have a large set of incidents and you need to decide which ones are most relevant to what’s risky right now.

BM25 (BM is an abbreviation of best matching) is a proven search-ranking approach that fits this problem well because it balances three intuitive ideas:

1. Rare signals should matter more than common ones. Some signals show up everywhere (routine alert types, ubiquitous behaviors). Others are rare (uncommon alert patterns, unusual technique combinations, high-profile threat indicators). BM25 is built to naturally treat rare “terms” as more informative. In incident terms, this is how you get high-impact incidents involving critical assets, rare signals, or active threat campaigns surfaced to the top.
2. Repetition helps, but it shouldn’t dominate. Seeing the same indicator multiple times in an incident can increase confidence—but after a point, additional repeats don’t add much new information. BM25 captures that “diminishing returns” behavior. In practice, this avoids a noisy incident scoring high just because duplicate telemetry floods the score.
3. Big incidents shouldn’t win just because they’re big. Some incidents are “large” because they include lots of noise, broad telemetry, or repeated patterns. BM25 normalizes for that so longer, messier incidents don’t automatically outrank concise, high-signal ones. This is especially important in security where: high-signal incidents can be short and sharp, and low-signal incidents can be long and chatty.
4. It’s fast, scalable, and explainable. BM25 is operationally attractive because it’s efficient at ranking large collections. And because it’s based on contributions from interpretable “terms,” it naturally supports explainability: you can show which factors pushed an incident up or down. That maps cleanly to what Queue Assistant needs to do: (a) surface the highest-priority incidents, (b) explain the reasoning behind prioritization, and (c) enable sorting/filtering without losing trust.

What prioritization done well delivers for a SOC

When prioritization is done well, it’s not automation for automation’s sake, it’s a force multiplier, delivering:

• Faster triage: less time sorting, more time investigating
• Higher confidence: analysts understand why an incident rose to the top
• Better outcomes: high-impact incidents involving critical assets, rare signals, or active threat campaigns get attention first

The Incident Queue plus Queue Assistant is designed to make the unified Defender portal not only a place where incidents are aggregated—but a place where analysts can reliably decide what to do next, even under heavy volume.

Learn more and get started

Check out our resources to learn more about our new incident queue experience:

• Check out Microsoft Ignite announcement and demo
• Read the documentation on the new incident queue experience