Deep Dive: DLP Incidents, Alerts & Events - Part 1

Correlation Analytics

Prior to delving into the specifics, it is essential to understand that Microsoft Defender employs correlation analytics to aggregate related alerts and automated investigations from various products into a single incident. This comprehensive perspective enables security analysts to gain a clearer understanding of broader attack scenarios, facilitating more effective responses to complex threats across the organisation.

When Microsoft Defender identifies suspicious activity, it generates alerts. These alerts are then assessed to determine whether they should:

• Create a new incident, if the alert is distinct within a defined timeframe.
• Be appended to an existing incident, if the alert shares attributes with those already grouped.

The correlation engine evaluates several criteria using proprietary algorithms, including:

• Entities (such as users, devices)
• Artifacts (including files, processes, email senders)
• Timeframes
• Event sequences (for example, a phishing email followed by a malicious click)

Microsoft Defender's capabilities extend beyond initial incident creation. It continually monitors for relationships among incidents and may automatically merge them in cases where:

• Alerts share attacker IP addresses, exhibit similar attack patterns, or affect related endpoints
• The same user or device triggers multiple alerts within the established correlation window

As a result, it is possible for alerts originating from different products or sources to be merged into a single incident or alert. For further information, please refer to the following article:

Alert correlation and incident merging in the Microsoft Defender portal - Microsoft Defender XDR | Microsoft Learn

Naming

Microsoft Defender XDR automatically names incidents, alerts, and events using attributes like activity, channel, users, detection sources, and category. This dynamic and context-aware naming convention plays a crucial role in security operations, as it enables analysts to quickly understand the nature and scope of an issue without needing to delve into each detail immediately. For instance, the incident name may indicate whether the event involves multiple endpoints, several users, or has been detected by more than one security product. Such automated, attribute-based naming supports rapid triage and better situational awareness, especially when dealing with a high volume of alerts across complex environments.

Examples:

• Incident – Exfiltration on one endpoint reported by multiple sources
• Alert – DLP policy (EXO PAN Policy) matched for email with subject (SS)
• Event – Sensitive info in '1-MB-Test.docx' copied to cloud

Incident Overview

With a foundational understanding of correlation analytics and aggregation, lets now turn our attention to an Exfiltration Incident. The primary interface pane presents essential information designed to facilitate efficient navigation. 

The incident can be expanded to display its associated alerts. Although incidents are correlated, various filters—such as Entities and Policy—may be utilized to further refine the data within each incident. Additional filtering options are accessible, as shown in the reference image on the right.

The 'Copy List link' function allows you to generate and distribute a direct link to the incident list, ensuring that any active filters are preserved within the URL.

Figure 1: Incidents Primary Pane

The following columns are displayed in the Primary Pane.

• Incident ID – A unique identifier assigned to each incident for tracking and reference.
• Tags – Custom labels added to incidents for categorization, filtering, or workflow management.
• Severity – Indicates the potential impact of the incident (e.g., Low, Medium, High).
• Investigation State – Shows the current progress of the investigation (e.g., In Progress, Completed).
• Categories – Classifies the incident type (e.g., Exfiltration, Initial Access etc).
• Impacted Assets – Lists affected entities such as devices, users, applications etc.
• Active Alerts – Displays the active vs total number of alerts contributing to the incident.
• Detection Sources & Product Names – Identifies which Defender product or sensor generated the alerts (e.g., Defender XDR, Microsoft Data Loss Prevention).
• Time (Last Update, First & Last Activity) – Indicates the most recent update time and the initial and final activity times related to the incident.
• Policy Name – Refers to the policy that triggered the alert or incident.
• Policy Rule Name – The specific rule within the policy that was violated or matched.
• Data Stream – Indicates the type of data involved (e.g., Exchange, Endpoint).
• Data Sensitivity – Indicates the maximum sensitivity level identified among all associated files or devices. This enables analysts to efficiently determine if sensitive or regulated information (such as PII, financial records, or credentials) may be exposed to risk.
• Status – Reflects the current state of the incident (e.g., Active, Resolved, In-Progress).
• Assigned to – Shows the analyst or team responsible for investigating and resolving the incident.
• Classification – Analyst-defined label indicating whether the incident is True Positive, False Positive, or Informational, expected activity.
• Determination – Specifies the nature of the threat (e.g., Malicious, Suspicious, Clean).
• Device Groups – Groups of devices impacted or involved in the incident, often used for scoping and filtering.
• Workspaces – Logical containers or environments where incidents are managed, especially in multi-tenant or MSSP setups.

Incident Details

The details page lets you view and play back the full attack story, from start to finish. It features an incident graph that maps how the attack unfolded, connecting alerts, entities (such as users and devices), assets, and a timeline of events. The graph offers a holistic overview of the incident, showing its origin, spread, and affected entities. You can interactively explore details by clicking on nodes for more information and taking remediation steps like isolating devices or deleting files. Direct investigation into specific alerts and contextual actions are available without leaving the graph view.

Figure 2: Exfiltration incident on one endpoint reported by multiple sources

Figure 3: DLP policy action frame

You can also view details about alerts, assets, investigations, evidence and responses, summaries, similar incidents, and generate incident reports or export them as PDFs. The platform enables you to manage and merge incidents, utilise Copilot, and investigate data security threats using AI. Additionally, it displays device risk and exposure levels alongside app details and associated risks, and provides the count of active alerts categorised by severity.