Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use tasks in the Microsoft Defender portal to investigate and resolve incidents collaboratively across your operations teams. Breaking incidents into actionable tasks boosts operational efficiency and reinforces accountability throughout the process.
This article explains how tasks work and how to use tasks to manage incidents in the Microsoft Defender portal.
How tasks work
Break down investigations into clear, actionable steps and assign them across your team.
Using tasks is particularly useful for:
- Onboarding junior analysts
- Working with managed security service providers (MSSPs)
- Tracking work in compliance-oriented organizations
The task panel presents tasks alongside Security Copilot summaries, guided responses, and reports to provide a comprehensive view of progress and remaining actions required to close the incident.
Categorize, prioritize, assign, and track each task to ensure consistency, collaboration, and accountability. When you close a task, add Closing notes to document the outcome. These notes support thorough postmortems and help teams learn from each investigation.
Permissions required
| Action | Permissions required |
|---|---|
| View tasks | Read-only permissions or Security data basics (read) under the Security operations permissions group in the Defender portal. |
| Create tasks | All read and manage permissions permissions or Response (manage) under the Security operations permissions group in the Defender portal. |
For more information about unified RBAC in the Defender portal, see Microsoft Defender XDR Unified role-based access control (RBAC).
View and manage tasks
To view and manage tasks:
From the Defender portal menu, select Incidents & alerts > Incidents to open the Incident queue.
Select an incident from the queue.
Select Tasks to open the Tasks side panel, which lists all of the tasks and Security Copilot insights associated with the incident.
To create a new task, select Add task.
Fill in the task details and select Save.
To update a task's status, select a status from the Status dropdown on task preview card.
To edit or delete a task, select the ellipsis (...) > Edit or Delete.
Automate and synchronize tasks created in Microsoft Sentinel using the Azure portal
When you onboard Microsoft Sentinel to the Defender portal, the Defender portal automatically synchronizes tasks you create in Sentinel using the Azure portal.
The Defender portal doesn't yet support automatic task creation, but you can continue to use task automation rules, Logic App playbooks, or the Incident Tasks REST API in Azure to create tasks, which are synchronized to the Defender portal.