Blog Post

Microsoft Defender XDR Blog
2 MIN READ

Microsoft Threat Protection now uses more descriptive incident names

Idan_Pelleg's avatar
Idan_Pelleg
Icon for Microsoft rankMicrosoft
Aug 20, 2020

The new incident naming feature in Microsoft Threat Protection now lets you understand an incident's scope at a glance!

 

When you are looking at the incident queue and need to determine which incident you should look at next, hints about the content of the incident play an important role in making this choice. Giving incidents automatic names is complex because it encompasses a variety of different suspicious activities.

 

Our researchers have developed a state-of-the-art algorithm that automatically describes incidents with comprehensive names, leveraging the MITRE ATT&CK® categories we have for each alert. Instead of having numerical incident names like Incident 1234, you now see incident names like Multi-stage incident involving Discovery & Collection reported by multiple sources.

 
 

Now, analysts can quickly understand the scope of the incident right from the Microsoft Threat Protection incident queue. Having the incidents name and supporting data (like the number of endpoints affected, users affected, detection sources, categories, and more) in one view, analysts can make faster decisions based on the nature of the incident. This improvement saves analysts time and effort better spent investigating and remediating high-priority threats.

 

Here are some examples of incident names developed with the new algorithm:

 

  • 'Dirtelti' backdoor was prevented on multiple endpoints
  • Office process dropped and executed a PE file on multiple endpoints
  • Multi-stage incident involving Initial access & Execution on one endpoint reported by multiple sources
  • Ransomware activity
  • Multi-stage incident involving Discovery & Command and control on one endpoint

To learn more about incident in Microsoft Threat Protection go to the following links:

 

Updated Dec 23, 2021
Version 6.0