Back to GSO Recommendations

Open Defender Incidents: Active Threat Investigation & Response Risk

Why this risk matters

Microsoft Defender for Microsoft 365 creates incidents when it detects correlated signals across identities, email, devices, and cloud applications that together suggest a potential threat. An open incident is not a configuration finding or a hygiene warning — it is Defender indicating that something active may be happening that warrants investigation.

Overe surfaces open Defender incidents to ensure they are visible to the right people and are not sitting unreviewed in a portal that not everyone has access to or regularly checks. Incidents left unreviewed age, lose context, and allow attackers more time to move, establish persistence, or escalate access.

Not every Defender incident represents a confirmed breach. Many are informational, low-severity, or triggered by expected administrative activity. But the ones that represent real threats are easy to miss in a long queue of alerts — and the cost of missing one is high.

What happens if this is abused

  • Active attacker presence in the tenant goes undetected because incidents are not reviewed promptly
  • A compromised user account identified by Defender continues operating while the incident ages without triage
  • Lateral movement or privilege escalation occurs while the triggering incident waits in a queue
  • A phishing campaign or malware delivery identified by Defender is not actioned before additional users are affected
  • Incident correlation that would have linked multiple lower-severity alerts into a clear breach pattern is overlooked
  • Remediation delayed long enough that the attacker establishes persistence, making clean-up significantly harder

When this is expected or acceptable

Not all open incidents require urgent action. Defender severity levels — Informational, Low, Medium, High — provide a guide, but context matters more than the label.

An incident flagged as Medium may represent a critical risk for one organisation and a false positive for another, depending on the user involved, the behaviour pattern, and the environment. Informational incidents often represent expected admin activity or security tooling behaviour.

What is never acceptable is leaving incidents unreviewed for extended periods regardless of severity. Even false positives should be confirmed and closed, not ignored.

Checks to perform before taking action

Before responding to a Defender incident:

  • Review the incident title, severity, and the specific alerts that were grouped into it
  • Identify which users, devices, mailboxes, or applications are involved
  • Check the incident timeline — when did the first alert fire, and how long has it been open?
  • Review whether the activity described matches any known administrative or operational work
  • Check whether any of the affected users have related Overe risk signals — dormant accounts, risky MFA, forwarding rules
  • Confirm whether any related incidents exist that might indicate a broader pattern
  • Check whether Defender has already recommended automated remediation actions and whether they have been applied

Safe remediation steps

  1. Use Overe to review open incidents sorted by severity and age — prioritise High and Medium incidents that have been open the longest
  2. For each incident, review the alert timeline and determine whether the activity is expected, a false positive, or a confirmed threat
  3. For confirmed threats, follow the incident's recommended response actions and engage the appropriate escalation path
  4. For false positives, close the incident with a documented reason to improve future alert quality
  5. For incidents involving compromised identities, enforce MFA, rotate credentials, revoke sessions, and check for persistence mechanisms
  6. Assign ownership to incidents that require investigation — unassigned incidents are more likely to go unactioned
  7. Review open incidents on a regular cadence rather than waiting for escalation

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Investigate incidents in Microsoft Defender XDR - https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents

Microsoft: Respond to your first incident - https://learn.microsoft.com/en-us/defender-xdr/first-incident-overview

Microsoft: Incidents overview in Microsoft Defender XDR - https://learn.microsoft.com/en-us/defender-xdr/incidents-overview

Related risks and follow-on checks

  • Risky inbox forwarding rules
  • Users with risky MFA settings
  • Admins with risky MFA settings
  • Dormant users
  • Apps with risky permissions
TBD CTA