Alert classification playbooks
Applies to:
- Microsoft Defender XDR
Alert classification playbooks allow you to methodically review and quickly classify the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network. Alert classification will also help in properly classifying the overall incident.
As a security researcher or security operations center (SOC) analyst, you must have access to the Microsoft Defender portal so that you can:
- Assess and review the generated alerts and associated incidents. See investigate alerts.
- Search your tenant's security signal data and check for potential threats and suspicious activities. See advanced hunting.
Note
You can provide feedback to Microsoft about true positive and false positives alerts, not only at the end of the investigation, but also during the investigation process. This can help Microsoft with future analysis and classification of security events.
Microsoft Defender for Office 365
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:
Threat protection policies
Define threat-protection policies to set the appropriate level of protection for your organization.
Reports
View real-time reports to monitor Defender for Office 365 performance in your organization.
Threat investigation and response capabilities
Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities
Save time and effort investigating and mitigating threats.
Defender for Office 365 alerts can be classified as:
- True positive (TP) for confirmed malicious activity.
- False positive (FP) for confirmed non-malicious activity.
Note
Microsoft Defender portal https://security.microsoft.com brings together functionality from existing Microsoft security portals. The Microsoft Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.
Defender for Cloud Apps natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.
The Defender for Cloud Apps framework includes the capability to protect your network against cyberthreats and anomalies, detects unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications. It enables the analysis of high-risk usage and can remediate automatically to limit the risk to your organization.
Defender for Cloud Apps alerts can be classified as:
- TP for confirmed malicious activity.
- Benign true positive (B-TP) for suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
- FP for confirmed non-malicious activity.
Alert classification playbooks
See these playbooks for steps to more quickly classify alerts for the following threats:
- Suspicious email forwarding activity
- Suspicious inbox manipulation rules
- Suspicious inbox forwarding rules
- Suspicious IP addresses related to password spray activity
- Password spray attacks
See Investigate alerts for information on how to examine alerts with the Microsoft Defender portal.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.