Blog Post

Microsoft Defender XDR Blog
1 MIN READ

Assign incidents and alerts to someone else

Idan_Pelleg's avatar
Idan_Pelleg
Icon for Microsoft rankMicrosoft
Oct 03, 2021

You can now assign incidents and alerts to someone else in your organization

 

To control and manage incidents and alerts in the organization, sometimes you would need to assign them to a specific analyst. Now you can do that right from the incident queue in Microsoft 365 Defender.

 

How does it work?

 

From the incident or alert side pane in the incident queue or the incident page, select Manage incident/alert and choose the user account you want to assign.

 

By default, the first value in the “assign to” drop menu will be yourself (“Me” at the title).

Note that you can choose all users from the organization, but only users with access to the Microsoft 365 Defender portal will be able to view the incident or alert. So, to help you assign the most relevant people in the organization, the rest of the default suggestions you will get are the latest assignees you chose.

 

Once the user is assigned, he can filter to see only incidents that are assigned to himself. A SOC manager that dispatches the incident queue can also filter for all unassign incidents or alerts to choose the relevant incident he would like to assign.

 

 

 

 

Published Oct 03, 2021
Version 1.0
  • Jean-1950's avatar
    Jean-1950
    Copper Contributor

    A quick question, how can you make that an email is sent to the person who has the incident assigned to? A teams notification would be even better.

    Thanks

    JP

  • Zvoltejinylogin's avatar
    Zvoltejinylogin
    Copper Contributor

    This is somewhat nice feature, but you can do much more if using Sentinel.

     

    Ingesting Defender 365 (preview) connector ingesting just the free Incidents and Alerts option you get the whole D365 package (MCAS, D365 family) and once you assign these in Sentinel this is bi-directional and assignee visible in D365 portal, closing also works.

     

    Drawbacks, if you try to close MCAS alerts ingested via D365 connector, as per MS Case - ATP -> MCAS uses deprecated API that no matter what closure status you put in Sentinel, it always will be True Positive in MCAS, no ETA for fix.

     

    But there are automation/playbook options if you want to integrate all the D365 and Azure Security solutions, but Microsoft is not making it easy, there is a lot of DIY behind the scenes. 

  • Thanks for this highly requested item on our wish list. Will the assignee receive e-mail notification about incident automatically or should we create a Power Automate for such? Thanks.