Introducing AI-powered incident prioritization in Microsoft Defender

Microsoft

Jan 08, 2026

Every SOC analyst knows the moment when the incident queue fills up fast. Multiple alerts arrive with the same severity but different sources. When everything looks equally urgent, the real question becomes what do you investigate first? And how do you address it consistently across shifts, analysts, and tool stacks?

At Microsoft Ignite last November, we announced a new capability in Microsoft Defender designed to solve exactly this problem: AI-powered incident prioritization. Today, we’re excited to share that AI-powered incident prioritization is now available in public preview for all Microsoft Defender customers. This is about helping SOC teams cut through noise, focus on what matters most, and move faster with confidence.

A new and improved incident queue experience

Microsoft Defender aggregates related alerts and automated investigations into an incident. That correlation matters because some activity is only clearly malicious when you connect the dots across multiple products and telemetry sources. Instead of chasing isolated alerts, analysts get the broader narrative: what happened, what it touched, and how it progressed.

Prior to the new incident queue experience, incidents were prioritized using factors like alert severity, tags, and MITRE techniques. We’ve since expanded this approach to incorporate additional high‑signal inputs which include automatic attack disruption signals, high‑profile threats (such as ransomware or nation‑state activity), asset criticality, threat analytics, and more. This enhanced prioritization model is designed to work across signals from Defender, Sentinel, and custom alerts, ensuring a more accurate and comprehensive assessment of incident priority.

To help teams act on that story quickly, the incident queue now includes AI-powered incident prioritization (see Figure 1). It applies a machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and explains the key factors behind the ranking. That explainability is what turns a score into something analysts can trust and use to drive consistent triage decisions.

To make the queue scannable at a glance, score ranges are color-coded:

Red: Top priority (> 85%)
Orange: Medium priority (15–85%)
Gray: Low priority (< 15%)

This makes it easy to focus immediately on the highest-impact work, while still keeping medium/low priority incidents visible for coverage and hygiene.

Figure 1. Select the incident row anywhere except the incident name, to display a summary pane with key information about why this incident was prioritized.

Built for analyst flow, not just ranking. Selecting an incident row opens a summary pane that keeps analysts in the moment of triage (see Figure 2).

Figure 2. This pane includes the priority assessment, the factors influencing the priority score, the incident's details, recommended actions, and related threats. Use the up and down arrows at the top of the pane to navigate to the previous or next incident in the incident queue.

It shows the factors that went into prioritization such as:

The priority assessment
The factors influencing the priority score
Key incident details
Recommended actions
Related threats

By default, the queue shows incidents from the last week, but the time selector above the queue lets you switch time frames—for shift handoffs, retrospectives, validation after detection changes, or responding to a specific time-bound campaign.

What prioritization done well delivers for a SOC

When prioritization is done well, it’s not automation for automation’s sake, it’s a force multiplier, delivering:

Faster triage: less time sorting, more time investigating
Higher confidence: analysts understand why an incident rose to the top
Better outcomes: high-impact incidents involving critical assets, rare signals, or active threat campaigns get attention first

Effective prioritization enhances SOC protection. It ensures analysts see high impact incidents, can disrupt attacks earlier in the kill chain, reduce dwell time, and avoid getting blindsided by fast‑moving or stealthy threats.

The AI-powered incident queue experience is designed to make the unified Defender portal not only a place where incidents are aggregated—but a place where analysts can reliably decide what to do next, even under heavy volume.