Introducing AI-powered incident prioritization in Microsoft Defender

Every SOC analyst faces this challenge: multiple incidents, same severity, and different sources. When everything looks equally urgent, the real question becomes what do you investigate first. And how do you address it consistently across shifts, analysts, and tool stacks.

Security teams don’t struggle because they lack alerts—they struggle because they have too many, arriving faster than humans can triage. Microsoft Defender brings Microsoft Defender XDR and Microsoft Sentinel signals together into correlated incidents, which is exactly what you want for end-to-end visibility. But it also means your incident queue can become the bottleneck.

The goal of the incident queue experience is simple—to turn a high-volume stream of incidents across devices, identities, mailboxes, and cloud resources into a prioritized, explainable worklist so analysts can act faster with confidence. EXPLAINABLE ML-DRIVEN PRIORITIZATION Microsoft Defender aggregates related alerts and automated investigations into an incident. That correlation matters because some activity is only clearly malicious when you connect the dots across multiple products and telemetry sources.

Instead of chasing isolated alerts, analysts get the broader narrative: what happened, what it touched, and how it progressed. To help teams act on that story quickly, the incident queue includes AI-powered incident prioritization (see Figure 1)..