Open Defender Incidents: Active Threat Investigation & Response Risk

Why this risk matters

Microsoft Defender for Microsoft 365 creates incidents when it detects correlated signals across identities, email, devices, and cloud applications that together suggest a potential threat. An open incident is not a configuration finding or a hygiene warning — it is Defender indicating that something active may be happening that warrants investigation.

Overe surfaces open Defender incidents to ensure they are visible to the right people and are not sitting unreviewed in a portal that not everyone has access to or regularly checks. Incidents left unreviewed age, lose context, and allow attackers more time to move, establish persistence, or escalate access.

Not every Defender incident represents a confirmed breach. Many are informational, low-severity, or triggered by expected administrative activity. But the ones that represent real threats are easy to miss in a long queue of alerts — and the cost of missing one is high.

What happens if this is abused

  • Active attacker presence in the tenant goes undetected because incidents are not reviewed promptly and the activity continues to escalate uninterrupted
  • A compromised user account identified by Defender continues operating — reading email, accessing SharePoint, and establishing persistence — while the incident ages without triage
  • Lateral movement or privilege escalation occurs while the triggering incident waits in an unassigned queue with no owner to action it
  • A phishing campaign or malware delivery identified by Defender is not actioned before additional users are affected by the same or linked attacks
  • Incident correlation that would have linked multiple lower-severity alerts into a clear breach pattern is overlooked because incidents are not regularly triaged
  • Remediation delayed long enough that the attacker establishes persistence mechanisms — OAuth app consents, inbox rules, new admin accounts — that survive the eventual credential reset
  • Defender-recommended automated remediation actions (block actor, isolate device, reset password) sit unapplied because the incident was never assigned to an owner
  • False positive incidents that are never closed accumulate over time, reducing visibility into the real incident queue and delaying detection of genuine active threats

When this is expected or acceptable

Not all open incidents require urgent action. Defender severity levels — Informational, Low, Medium, High — provide a guide, but context matters more than the label.

An incident flagged as Medium may represent a critical risk for one organisation and a false positive for another, depending on the user involved, the behaviour pattern, and the environment. Informational incidents often represent expected admin activity or security tooling behaviour.

What is never acceptable is leaving incidents unreviewed for extended periods regardless of severity. Even false positives should be confirmed and closed, not ignored.

Checks to perform before taking action

Before responding to a Defender incident:

  • Review the incident title, severity, and the specific alerts that were grouped into it
  • Identify which users, devices, mailboxes, or applications are involved
  • Check the incident timeline — when did the first alert fire, and how long has it been open?
  • Review whether the activity described matches any known administrative or operational work
  • Check whether any of the affected users have related Overe risk signals — dormant accounts, risky MFA, forwarding rules
  • Confirm whether any related incidents exist that might indicate a broader pattern
  • Check whether Defender has already recommended automated remediation actions and whether they have been applied

Safe remediation steps

  1. Use Overe to review open incidents sorted by severity and age — prioritise High and Medium incidents that have been open the longest
  2. For each incident, review the alert timeline and determine whether the activity is expected, a false positive, or a confirmed threat
  3. For confirmed threats, follow the incident's recommended response actions and engage the appropriate escalation path
  4. For false positives, close the incident with a documented reason to improve future alert quality
  5. For incidents involving compromised identities, enforce MFA, rotate credentials, revoke sessions, and check for persistence mechanisms
  6. Assign ownership to incidents that require investigation — unassigned incidents are more likely to go unactioned
  7. Review open incidents on a regular cadence rather than waiting for escalation

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Windows Defender — Ensures Windows devices are actively protected against malware and endpoint threats with up-to-date defenses.
  • Windows Defender Antivirus Configuration — Keeps Windows devices continuously protected against malware, ransomware, and network-based threats with automatic threat removal.
  • MacOS Defender Antivirus Configuration — Keeps Mac devices continuously protected against malware with enforced real-time scanning and tamper-proof settings.
  • MacOS Defender for Endpoint Configuration — Grants Defender for Endpoint the system permissions it needs to fully protect Mac devices.

Supporting documentation

Microsoft: Investigate incidents in Microsoft Defender XDR - https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents

Microsoft: Respond to your first incident - https://learn.microsoft.com/en-us/defender-xdr/first-incident-overview

Microsoft: Incidents overview in Microsoft Defender XDR - https://learn.microsoft.com/en-us/defender-xdr/incidents-overview

Related risks and follow-on checks

After investigating open Defender incidents, review these related risk areas:

  • Risky Inbox Forwarding Rules — open incidents involving account compromise often surface alongside inbox forwarding; check for forwarding rules created by or for any users involved in the incident
  • Users with Risky MFA Settings — an incident affecting a user with weak MFA suggests the incident may have been facilitated by MFA bypass; address the authentication weakness alongside the incident response
  • Admins with Risky MFA Settings — high-severity incidents involving admin accounts require immediate prioritisation; MFA hardening should be part of the response alongside credential rotation
  • Dormant Users — if the user involved in an incident has been inactive for an extended period, the activity may indicate account reactivation by an attacker rather than a returning legitimate user
  • Apps with Risky Permissions — some Defender incidents involve OAuth application abuse or malicious consent grants; check for related app risk signals on the same user or across the tenant
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.