L6. Incident Management: Correlation, Triage and Response
Video generating
Check back soon for the video lesson on Incident Management: Correlation, Triage and Response
Effective incident management in Defender XDR requires understanding how alerts become incidents, how to triage and classify them, and which response actions to take. This lesson covers the incident queue, investigation graph, and automated response capabilities for the SC-200 exam.
How Alerts Become Incidents
Defender XDR groups related alerts into incidents using its correlation engine. The engine considers:
- Entity mapping: Alerts sharing the same user, device, mailbox, or IP address
- Temporal correlation: Alerts occurring within a related timeframe
- Attack pattern matching: Known attack sequences mapped to MITRE ATT&CK
A single incident can contain alerts from multiple Defender products. For example, an incident might include a phishing alert (Office 365), a suspicious sign-in (Identity), malware execution (Endpoint), and data exfiltration to a cloud app (Cloud Apps).
The Incident Queue
The incident queue at security.microsoft.com > Incidents is the SOC analyst's primary workspace. Each incident shows:
- Severity: High, Medium, Low, Informational
- Status: New, In progress, Resolved
- Classification: True positive, Informational (expected), False positive
- Determination: Multi-select values like Malware, Phishing, Compromised account
- Assignment: Assigned analyst or team
- Category: MITRE ATT&CK tactic (Initial Access, Execution, etc.)
Filters let analysts focus on specific severities, statuses, categories, data sources, or assigned owners. Exam tip: The exam tests your ability to choose the correct classification and determination for a given scenario. A penetration test by a hired firm is classified as "True positive" with determination "Security testing."
Investigation Graph
The investigation graph visualizes the relationships between entities in an incident:
- Users, devices, mailboxes, and IP addresses involved
- Files and processes executed
- Alerts triggered and their timeline
- Related evidence and artifacts
Clicking any entity opens its detailed page with full context: activity timeline, alerts, group memberships (for users), installed software (for devices), and related incidents.
Response Actions
Incident response actions in Defender XDR span all workloads:
| Action | Scope | Effect |
|---|---|---|
| Isolate device | Endpoint | Cuts network, keeps Defender connection |
| Disable user account | Identity | Blocks sign-in across all services |
| Reset password | Identity | Forces password change |
| Confirm user compromised | Identity | Raises user risk level in Entra ID |
| Soft delete email | Office 365 | Moves email to Deleted Items |
| Hard delete email | Office 365 | Permanently removes from mailbox |
| Block URL/file | XDR-wide | Adds to custom indicator blocklist |
| Trigger AIR | XDR-wide | Launches automated investigation |
Automated Investigation and Response
When an incident triggers Automated Investigation and Response (AIR):
- AIR examines all alerts and entities in the incident
- It expands the investigation to check for related suspicious activity
- It produces a list of recommended remediation actions
- Depending on the automation level, actions are applied automatically or queued for approval
The Action center at security.microsoft.com shows all pending and completed actions across the organization.
Incident Classification Workflow
A practical triage workflow for the exam:
- Review the incident summary and alert evidence
- Check the investigation graph for entity relationships
- Open entity pages to review activity timelines
- Determine if the activity is malicious, expected, or a false positive
- Set the classification, determination, and add comments
- Take response actions or trigger AIR
- Resolve the incident when all alerts are addressed
Linking and Merging Incidents
If two incidents are related but were not automatically correlated, analysts can link them manually. The linked incidents share context, and resolving one does not automatically resolve the other.
- ✓Defender XDR correlates alerts into incidents based on shared entities, temporal proximity, and attack patterns.
- ✓Incident classifications: True positive, Informational (expected activity), False positive.
- ✓A hired penetration test is classified as "True positive" with determination "Security testing."
- ✓"Confirm user compromised" raises the user risk level in Entra ID Protection, triggering risk-based Conditional Access policies.
- ✓The Action center shows all pending and completed remediation actions across the organization.
- ✓AIR expands investigations beyond the initial alert to check for related suspicious activity.
1. Your organization hired a penetration testing firm. Their activity triggers multiple high-severity alerts. How should you classify the incident?
2. A SOC analyst clicks "Confirm user compromised" on a user entity in Defender XDR. What is the immediate effect?
3. Where can a SOC analyst review all pending and completed remediation actions across Defender XDR?