Alert classification playbooks


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

Alert classification playbooks allow you to methodically review and quickly classify the alerts for well-known attacks and take recommended actions to remediate the attack and protect your network. Alert classification will also help in properly classifying the overall incident.

As a security researcher or security operations center (SOC) analyst, you must have access to the Microsoft Defender portal so that you can:

  • Assess and review the generated alerts and associated incidents. See investigate alerts.
  • Search your tenant's security signal data and check for potential threats and suspicious activities. See advanced hunting.


You can provide feedback to Microsoft about true positive and false positives alerts, not only at the end of the investigation, but also during the investigation process. This can help Microsoft with future analysis and classification of security events.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Defender for Office 365 includes:

  • Threat protection policies

    Define threat-protection policies to set the appropriate level of protection for your organization.

  • Reports

    View real-time reports to monitor Defender for Office 365 performance in your organization.

  • Threat investigation and response capabilities

    Use leading-edge tools to investigate, understand, simulate, and prevent threats.

  • Automated investigation and response capabilities

    Save time and effort investigating and mitigating threats.

Defender for Office 365 alerts can be classified as:

  • True positive (TP) for confirmed malicious activity.
  • False positive (FP) for confirmed non-malicious activity.


Microsoft Defender portal brings together functionality from existing Microsoft security portals. The Microsoft Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

Defender for Cloud Apps natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

The Defender for Cloud Apps framework includes the capability to protect your network against cyberthreats and anomalies, detects unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications. It enables the analysis of high-risk usage and can remediate automatically to limit the risk to your organization.

Defender for Cloud Apps alerts can be classified as:

  • TP for confirmed malicious activity.
  • Benign true positive (B-TP) for suspicious but not malicious activity, such as a penetration test or other authorized suspicious action.
  • FP for confirmed non-malicious activity.

Alert classification playbooks

See these playbooks for steps to more quickly classify alerts for the following threats:

See Investigate alerts for information on how to examine alerts with the Microsoft Defender portal.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.