Tutorial: Triage, investigate, and respond to security alerts

Microsoft Defender for Cloud continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Defender for Cloud. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.

In this tutorial, you will learn how to:

If you don't have an Azure subscription, create a free account before you begin.


Triage security alerts

Defender for Cloud provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.

Triage your alerts from the Security alerts page:

Microsoft Defender for Cloud's security alerts list

Use this page to review the active security alerts in your environment to decide which alert to investigate first.

When triaging security alerts, prioritize alerts based on the alert severity by addressing alerts with higher severity first. Learn more about alerts severity in How are alerts classified?.


You can connect Microsoft Defender for Cloud to most popular SIEM solutions including Microsoft Sentinel and consume the alerts from your tool of choice. Learn more in Stream alerts to a SIEM, SOAR, or IT Service Management solution.

Investigate a security alert

Once you have selected an alert, you will then be able to investigate it.

To investigate a security alert:

  1. Select the desired alert.

  2. From the alert overview page, select the resource to investigate first.

  3. Begin your investigation from the left pane, which shows the high-level information about the security alert.

    Screenshot of the left pane of the alert details page highlighting the high-level information.

    This pane shows:

    • Alert severity, status, and activity time
    • Description that explains the precise activity that was detected
    • Affected resources
    • Kill chain intent of the activity on the MITRE ATT&CK matrix
  4. For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.

  5. When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:

    • Contact the resource owner to verify whether the detected activity is a false positive.
    • Investigate the raw logs generated by the attacked resource

Respond to a security alert

After you've investigated a security alert and understood its scope, you can respond to the alert from within Microsoft Defender for Cloud:

  1. Open the Take action tab to see the recommended responses.

    Security alerts take action tab.

  2. Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.

  3. To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.

  4. To trigger a logic app with automated response steps, use the Trigger automated response section.

  5. If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.

  6. When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.

    Setting an alert's status

    This removes the alert from the main alerts list. You can use the filter from the alerts list page to view all alerts with Dismissed status.

  7. We encourage you to provide feedback about the alert to Microsoft:

    1. Marking the alert as Useful or Not useful.

    2. Select a reason and add a comment.

      Provide feedback to Microsoft on the usefulness of an alert.


    We review your feedback to improve our algorithms and provide better security alerts.

Clean up resources

There's no need to clean up any resources for this tutorial.

Next steps

In this tutorial, you learned about Defender for Cloud features to be used when responding to a security alert. For related material see: