Defender XDR Portal & Unified Incidents
Understanding the Concept
The Microsoft Defender XDR portal (security.microsoft.com) is the unified workspace for security operations. It consolidates alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into correlated incidents, giving analysts the full attack story in one place.
An incident is a collection of related alerts that together represent a complete attack. The system automatically correlates alerts based on shared entities (users, devices, IPs, files) and attack timelines.
The incident queue provides prioritized views with severity ratings, automated investigation status, and classification options.
Key Points
- Defender XDR portal at security.microsoft.com is the unified SOC workspace
- Incidents automatically correlate alerts from all Defender products
- Correlation based on shared entities: users, devices, IPs, file hashes
- Incident queue supports filtering by severity, status, category
- Incidents can be classified as True Positive, False Positive, or Informational
Incident Correlation Flow
Alert Generation
Individual alerts from each Defender product
Entity Mapping
Alerts linked by shared users, devices, IPs
Incident Creation
Correlated alerts grouped into incidents
Investigation
Analyst reviews attack story and evidence
Response
Containment, remediation, and recovery
Why This Matters in Real Organizations
Without incident correlation, analysts see hundreds of individual alerts without context. Defender XDR reduces alert fatigue by grouping related alerts into incidents, reducing alert volume by 80% while providing richer context.
Common Mistakes to Avoid
Interview Tips
- Describe the incident investigation workflow in Defender XDR
- Explain how alert correlation reduces analyst workload
- Discuss incident prioritization strategies
Exam Tips (SC-200)
- Know the difference between alerts and incidents
- Understand incident classification options
- Know how to use incident queue filters
Course Complete!
You've finished all lessons