New Incident Graph view in Microsoft 365 Defender

Published Sep 02 2021 08:22 AM 10K Views
Microsoft

The new incident graph helps you quickly understand and visualize the full timeline and related entities of an attack by connecting the different suspicious entities with their related assets such as users, devices, mailboxes and applications. The graph presents a holistic view of how an attack spread through an environment over time, where it started and how far the attacker went. 

 

 

Animation1.gif

 Play the attack over time

 

Now you will be able to:

  • See how the incident’s alerts are connected
    With one glance you can see the connection of alerts to the impacted assets in your organization. 
  • Pivot to alerts directly from the graph
    You can view the alerts right from the graph page and quickly drill down to view more details. 
  • Open the entity details directly from the graph
    You can view the entities details without losing orientation directly from the graph and act on them with response options like file delete, device isolation, etc.
  • Highlight the entities related to an alert
    Easily see which entities are related to which alerts and how they are part of the story of the attack. 

To easily investigate the incident and to help get you oriented, you can select specific alerts for which you want to highlight relevant entities.

 

Idan_Pelleg_0-1630571753395.png

 Highlight specific nodes on the graph based on the alert

 

You can drill down to each alert directly from the graph as well as open the entity side pane.

This will allow you to review the entity details and take remediation actions, such as deleting a file or isolating a device.

 

Idan_Pelleg_1-1630571863612.png

 

So now you can review, investigate and remediate attacks while seeing the full story of the attack right away and understand how the entites are connected to each other.

The incident graph in Microsoft 365 Defender is available from the new Graph tab of an incident .

 

See also

 

 

 

4 Comments
Senior Member

In the See also links above, I can't see the docs until I remove the "review" prefix from the URL.  i.e. change https://review.docs.microsoft.com* to https://docs.microsoft.com*
Is there something about these links that requires the review prefix, or do I need to register elsewhere for access to that?
Thanks.
(If there is a better place to ask this type of question, please point me to that, I couldn't find it.)

-Owen

 

Microsoft

Thanks @OwenAllen_BlueVoyant I fixed the links!

Occasional Visitor

Hi, is this feature still in preview?

In the following URL it says its in preview, 

https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-21v...

but in my demo environment, the "Graph" tab doesnt have "(Preivew)" written on it.

 

I was just curious if its been GA or not because its such a great feature.

Microsoft

@Shawn225 Yes, this new view is currently in public preview, GA coming up soon for sure :)

%3CLINGO-SUB%20id%3D%22lingo-sub-2710668%22%20slang%3D%22en-US%22%3ENew%20Incident%20Graph%20view%20in%20Microsoft%20365%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2710668%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20new%20incident%20graph%20helps%20you%20quickly%20understand%20and%20visualize%20the%20full%20timeline%20and%20related%20entities%20of%20an%20attack%20by%20connecting%20the%20different%20suspicious%20entities%20with%20their%20related%20assets%20such%20as%20users%2C%20devices%2C%20mailboxes%20and%20applications.%20The%20graph%20presents%20a%20holistic%20view%20of%20how%20an%20attack%20spread%20through%20an%20environment%20over%20time%2C%20where%20it%20started%20and%20how%20far%20the%20attacker%20went.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Animation1.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307572iAAE6A73AC7E1B383%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Animation1.gif%22%20alt%3D%22Animation1.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH5%20id%3D%22toc-hId--1452145097%22%20id%3D%22toc-hId--1452090235%22%3E%3CEM%3E%26nbsp%3BPlay%20the%20attack%20over%20time%3C%2FEM%3E%3C%2FH5%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2131254517%22%20id%3D%22toc-hId-2131309379%22%3ENow%20you%20will%20be%20able%20to%3A%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3ESee%20how%20the%26nbsp%3Bincident%E2%80%99s%20alerts%20are%20connected%3CBR%20%2F%3E%3C%2FSTRONG%3EWith%20one%20glance%20you%20can%20see%20the%20connection%20of%20alerts%20to%20the%20impacted%20assets%20in%20your%20organization.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EPivot%20to%20alerts%20directly%20from%20the%26nbsp%3Bgraph%3C%2FSTRONG%3E%3CBR%20%2F%3EYou%20can%20view%20the%20alerts%20right%20from%20the%26nbsp%3Bgraph%26nbsp%3Bpage%20and%20quickly%20drill%20down%20to%20view%20more%20details.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EOpen%20the%20entity%20details%20directly%20from%20the%26nbsp%3Bgraph%3C%2FSTRONG%3E%3CBR%20%2F%3EYou%20can%20view%20the%20entities%20details%20without%20losing%20orientation%20directly%20from%20the%20graph%20and%20act%20on%20them%20with%20response%20options%20like%20file%20delete%2C%20device%20isolation%2C%20etc.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EHighlight%20the%20entities%20related%20to%20an%20alert%3CBR%20%2F%3E%3C%2FSTRONG%3EEasily%20see%20which%20entities%20are%20related%20to%20which%20alerts%20and%20how%20they%20are%20part%20of%20the%20story%20of%20the%20attack.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ETo%20easily%20investigate%20the%20incident%20and%20to%20help%20get%20you%20oriented%2C%20you%20can%20select%20specific%20alerts%20for%20which%20you%20want%20to%20highlight%20relevant%20entities.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Idan_Pelleg_0-1630571753395.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307576i4B1E99DBED2FC6BC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Idan_Pelleg_0-1630571753395.png%22%20alt%3D%22Idan_Pelleg_0-1630571753395.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH5%20id%3D%22toc-hId--772086727%22%20id%3D%22toc-hId--772031865%22%3E%3CEM%3E%26nbsp%3BHighlight%20specific%20nodes%20on%20the%20graph%20based%20on%20the%20alert%3C%2FEM%3E%3C%2FH5%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20drill%20down%20to%20each%20alert%20directly%20from%20the%20graph%20as%20well%20as%20open%20the%20entity%20side%20pane.%3C%2FP%3E%0A%3CP%3EThis%20will%20allow%20you%20to%20review%20the%20entity%20details%20and%20take%20remediation%20actions%2C%20such%20as%20deleting%20a%20file%20or%20isolating%20a%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Idan_Pelleg_1-1630571863612.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F307577iE552935A060A8E52%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Idan_Pelleg_1-1630571863612.png%22%20alt%3D%22Idan_Pelleg_1-1630571863612.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20now%20you%20can%20review%2C%20investigate%20and%20remediate%20attacks%20while%20seeing%20the%20full%20story%20of%20the%20attack%20right%20away%20and%20understand%20how%20the%20entites%20are%20connected%20to%20each%20other.%3C%2FP%3E%0A%3CP%3EThe%26nbsp%3Bincident%26nbsp%3Bgraph%26nbsp%3Bin%20Microsoft%20365%20Defender%20is%20available%20from%20the%20new%26nbsp%3B%3CSTRONG%3EGraph%26nbsp%3B%3C%2FSTRONG%3Etab%20of%20an%26nbsp%3Bincident%20.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESee%20also%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fincidents-overview%3Fview%3Do365-21vianet%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIncidents%20overview%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fmanage-incidents%3Fview%3Do365-21vianet%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20incidents%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Finvestigate-incidents%3Fview%3Do365-21vianet%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInvestigate%20incidents%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2710668%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20new%20incident%20graph%20view%20in%20Microsoft%20365%20Defender%20allows%20you%20to%20view%20the%20full%20story%20of%20an%20attack.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Sep 02 2021 11:09 AM
Updated by: