Incidents and more incidents
A Microsoft Defender XDR incident joins all related alerts and data, presenting a comprehensive narrative of a cyber assault. The Incidents page within Microsoft Defender XDR, also referred to as the Incidents queue, serves as a centralized hub, integrating Defender for Office 365 alerts, instrumental Automated Investigation and Response (AIR) initiatives, and the results of such in-depth investigations. These alerts are triggered by malicious or questionable activities bearing upon various entities, including emails, user accounts, and mailboxes, and help to provide intelligence on attacks in progress or those that have finished. It is commonplace for a multi-vector attack to generate an assortment of alerts across different points of origin. We can see this in the encapsulation of an aggregation of correlated alerts, in which many alerts that are triggered help create the story of how a complex attack occurred:
Figure 9.10 ...
