![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 87%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
@Koonnamchok Klongkaew I understand that you are looking for explanations of the case closure reasons in Sentinel. I'm not sure if you are looking for criteria for choosing one of the categories or explanations of the category types, so I will try to provide both. Some of these descriptions are covered in the Sentinel documentation and the security alert documentation.
True positive - suspicious activity - If you performed an investigation of a security issue and determined that the root cause was an actual threat, you can choose this category once you have remediated the issue.
Benign positive - suspicious but expected - An action detected by Defender for Identity that is real, but not malicious, such as a penetration test or known activity generated by an approved application. A good example of this would be when someone elevates access to deploy a legitimate change. In most scenarios you would want to be notified about the elevated access, but in legitimate cases, this elevation would trigger a benign positive.
False positive - incorrect alert logic - You can select this classification if you believe that the Analytics Rule logic that triggered the alert was configured incorrectly. This can be caused by your own misconfigured rules or by a misconfiguration in a template you were using.
Undetermined - You should choose this category only if you are truly unable to determine what caused the incident, or if you think you might get a similar incident later but do not have enough info in the current one. This category should only be chosen in rare circumstances since ideally you should investigate the incidents and determine the root cause.
There is also a great blog post by the Microsoft Consulting Services Organization that describes each of these options in detail.
Let me know if this helps and if you have futher questions.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.