Forum Discussion

stade1655's avatar
stade1655
Copper Contributor
Oct 18, 2024

Microsoft Defender for Business - incidents automatically created

Good afternoon,

I wonder if someone can answer whether incidents are automatically created for alerts in the Defender portal for Defender for Business for identities and risky users?

Thank you in advance.

 

  • stade1655 Hi, yes, Microsoft Defender for Business automatically creates incidents based on specific alerts, but the details depend on the alert type and system configuration.

    -Automatically create incidents from alerts
    When an alert is generated in Microsoft Defender for Business, the system can correlate alerts and group them into a single incident. This mechanism is designed to aid investigation by grouping alerts that relate to the same threat or suspicious activity.

    Risky users and identities
    -For identity risks, such as risky users or compromised credentials, Microsoft Defender for Identity (part of the Microsoft Defender ecosystem) takes care of management. Alerts are generated when risky behavior is detected, such as unusual sign-ins, compromised credentials, or attempts to sign in from unfamiliar locations. These risky user and identity alerts are often automatically grouped into incidents, especially when they involve the same user or type of behavior. Defender for Identity works closely with Azure AD Identity Protection to identify these risks.

    -Compromised credentials: If a user's credentials are found in a breach or suspicious activity (such as logins from an unknown device), an alert can be generated. If multiple alerts are issued on the same user (such as logins from different locations), they can be grouped into a single incident.

    -Unusual login activity: If a user logs in from an unexpected geographic location or a device they've never used before, the alerts can be correlated and merged into an incident.

    -Device or endpoint alerts: If a device goes through multiple stages of an attack, such as downloading malware followed by lateral movement, the associated alerts can be grouped into a single incident.

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    stade1655 Hi, yes, Microsoft Defender for Business automatically creates incidents based on specific alerts, but the details depend on the alert type and system configuration.

    -Automatically create incidents from alerts
    When an alert is generated in Microsoft Defender for Business, the system can correlate alerts and group them into a single incident. This mechanism is designed to aid investigation by grouping alerts that relate to the same threat or suspicious activity.

    Risky users and identities
    -For identity risks, such as risky users or compromised credentials, Microsoft Defender for Identity (part of the Microsoft Defender ecosystem) takes care of management. Alerts are generated when risky behavior is detected, such as unusual sign-ins, compromised credentials, or attempts to sign in from unfamiliar locations. These risky user and identity alerts are often automatically grouped into incidents, especially when they involve the same user or type of behavior. Defender for Identity works closely with Azure AD Identity Protection to identify these risks.

    -Compromised credentials: If a user's credentials are found in a breach or suspicious activity (such as logins from an unknown device), an alert can be generated. If multiple alerts are issued on the same user (such as logins from different locations), they can be grouped into a single incident.

    -Unusual login activity: If a user logs in from an unexpected geographic location or a device they've never used before, the alerts can be correlated and merged into an incident.

    -Device or endpoint alerts: If a device goes through multiple stages of an attack, such as downloading malware followed by lateral movement, the associated alerts can be grouped into a single incident.

    • stade1655's avatar
      stade1655
      Copper Contributor
      Hi micheleariis,
      Thank you very much for your explanation and the clear overview information about how Microsoft Defender for Business automatically creates incidents based on specific alerts.
      I truly appreciate it!

Resources