Microsoft 365 Defender: Incident management

This overview explains how Microsoft 365 Defender turns siloed, high-volume security signals into cross-domain incidents that are easier to prioritize and resolve. It walks through the Incidents queue, then opens an incident and tours the key tabs: Summary (alert counts, active vs resolved, MITRE ATT&CK mapping, originating products, affected assets like devices/users/mailboxes/apps, top impacted entities, evidence and remediation status, plus metadata like tags and user groups), Alerts (severity, status, and why each alert is linked—often auto-investigated and resolved), Devices (risk level and tags with drill-down), Users (including investigation priority from UEBA), Mailboxes (with pivots into Explorer), Apps (with pivots into Defender for Cloud Apps), Investigations (automation status and remediation actions), and Evidence and Response (counts by entity type—emails, files, URLs—plus drill-down to item details). It also demonstrates “Go hunt,” which launches an Advanced Hunting query from an evidence item to expand scope, and finishes with the incident graph—a visual map of related entities with options to view details, pin/hide alerts, and sometimes take actions directly—before resolving the incident via Manage incident and classifying it (true positive multistage attack in the example).

We produced this as a guided tour that keeps the experience coherent even though the incident itself is gloriously complex. The narration is structured to match the investigation flow and the edit keeps momentum while still letting each tab’s purpose register. The payoff is a video that helps teams feel confident in the incident workspace—and faster at turning context into action. Final delivery includes closed captions, audio description, and thumbnails.