Share via

Microsoft defender INC triggering late

Murali, Akshyalakshmi (ITN) 5 Reputation points
2025-06-17T11:34:57.1866667+00:00

Hello Community ,While analyzing the defender incidents ,we could observe the time stamp present in alert is 2 days previous than the incident triggered time .Is this how the defender works ? For instance there is incident related to " Multi-stage incident involving Execution & Persistence on one endpoint " in alert field we could observe the power shell was executed on May 28 ,May 29 but the incident got trigged on June 07 ? this is how defender corelates alert or is there any misconfiguration ?

Thanks in advance for your answers .

Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 2,695 Reputation points Microsoft Employee
    2025-11-25T07:50:49.4233333+00:00

    Hi Murali, Akshyalakshmi (ITN),

    When an alert is generated (e.g., PowerShell execution on May 28), it is timestamped with the actual event time. However:

    • Defender may delay incident creation until enough related alerts are collected to confirm a broader attack pattern.
    • Correlation can occur later when new alerts or signals link back to older alerts.
    • This explains why an incident might be created later on

    For additional information on how this works refer to https://v4.hkg1.meaqua.org/en-us/defender-xdr/alerts-incidents-correlation

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.