Microsoft Security Operations Analyst Associate (SC-200) Certification Guide

CHAPTER 1

Microsoft Defender Identity Endpoint Cloud and More

Introduction

Microsoft Defender Extended Detection and Response (XDR) offers a comprehensive solution for detecting, investigating, and responding to security threats across endpoints, identities, emails, and cloud applications. Designed to empower Security Operations Centers (SOCs), Defender XDR integrates signals from multiple sources into a unified platform, enabling faster threat detection and remediation. This chapter explores how to effectively leverage Defender XDR’s capabilities, providing essential skills to enhance your organization’s security posture through advanced incident management, automation, and threat response.

Structure

In this chapter, we will discuss the following topics:

Exploring Threat Protection with Microsoft Defender XDR

Strategies for Incident Management and Response Using Microsoft

365 Defender Guarding Identities with Microsoft Entra Identity Protection

Risk Remediation Techniques in Microsoft Defender for Office 365

Defending Your Environment with Microsoft Defender for Identity

Enhancing Cloud App Security with Microsoft Defender for Cloud Apps

Exploring Threat Protection with Microsoft Defender XDR

Microsoft Defender for Endpoint (MDE) plays a critical role in detecting malicious activity across devices. Consider a scenario where a victim receives a malicious payload through an unprotected personal email or a USB drive. When the victim opens the infected attachment, the malware spreads unnoticed by the user. However, MDE identifies this threat, generates an alert, and notifies security operations.

At the same time, Microsoft Intune, connected through MDE, detects the increased risk level on the endpoint. This triggers an Intune Compliance Policy, which marks the device as non-compliant, automatically restricting access to corporate resources through Microsoft Entra ID’s Conditional Access policies. The user’s access to sensitive enterprise applications is blocked while the threat is still active, preventing the attacker from exploiting corporate systems.

Figure 1.1: Detection of Threat

Remediation

Microsoft Defender for Endpoint offers various remediation strategies:

Automated Remediation: Microsoft’s automation capabilities remediate the threat without human intervention.

Manual Investigation: A security analyst can review and manually approve remediation actions based on the detailed threat information provided by MDE.

This remediation process not only contains the threat locally but contributes to a broader network defense. Threat data is shared across Microsoft’s Threat Intelligence system, benefiting other organizations by providing intelligence to detect and block similar attacks across multiple environments.

Figure 1.2: Suspend Access

Share Intelligence and Restore Access

Once the threat is neutralized, MDE signals to Intune that the device is safe again, updating the risk level. Microsoft Entra ID responds by restoring the user’s access to corporate resources through Conditional Access.

Furthermore, the threat intelligence gathered is shared with other tools such as Microsoft Defender for Office 365 (MDO) and Microsoft Defender for Cloud. This intelligence helps detect and remediate similar threats across email, collaboration platforms, and cloud services, reinforcing protection across the organization’s entire attack surface.

Access Restrictions During an Attack: While the device is compromised, access to corporate resources is blocked through Conditional Access, which monitors device risk levels based on MDE notifications. During this period, users can still perform non-sensitive tasks such as browsing the internet, but they cannot access any corporate resources requiring authentication.

Access Restoration: Once MDE remediates the threat, it updates Intune, which in turn updates Microsoft Entra ID. This triggers the Conditional Access policy to restore the user’s access to corporate systems. The process ensures attackers cannot exploit compromised devices while minimizing business disruption by restoring access as soon as the threat is resolved.

Microsoft Defender XDR in a Security Operations Center (SOC)

In this section, we will discover how Microsoft Defender XDR enhances threat detection and response in a Security Operations Center (SOC).

Figure 1.3: Morden SOC

Security Operations Model: Functions and Tools

Security operations within an organization consist of several distinct but closely connected functions. These include Triage, Automation, Investigation, Incident Management, and Threat Hunting. Each function has a defined focus, but all teams must work collaboratively to ensure efficient threat detection and response.

Figure 1.4: Security Operations Model

Triage and Automation

The Triage and Automation teams are responsible for handling high volumes of well-known incidents using automation and rapid human intervention. Automation helps speed up responses by pre-processing alerts and incidents that do not require human review.

Key aspects include:

High-Quality Alerts: A 90% true positive rate is recommended to minimize the time wasted on false positives.

Alert Ratios: In practice, XDR systems such as Microsoft Defender generate the highest quality alerts, while others, such as user-reported issues or log-based alerts, provide supplementary information.

Automation: Automation reduces the manual burden on analysts, with built-in workflows suggesting remediation actions for rapid approval.

Tool Integration: A unified console for endpoints, email, identity, and cloud applications enables quick detection and response across multiple threat vectors.

By maintaining a narrow focus on user productivity and well-known scenarios, Triage, and Automation teams can resolve incidents faster and more accurately.

Investigation and Incident Management

The Investigation team escalates and manages incidents that require deeper analysis. This team handles sophisticated attacks that involve complex threat behaviors, such as multi-stage or business-critical incidents.

Key responsibilities include:

Escalation: Incidents that cannot be fully resolved by the Triage team are escalated for further investigation and remediation.

Proactive Review: The team periodically reviews the Triage queue to ensure no critical incidents are missed.

Broad Contextual Analysis: Using tools such as Microsoft Sentinel, the team investigates incidents with a broader context, including threats from cloud environments, including Azure.

The Incident Management team oversees the coordination of non-technical aspects of incident response, such as communication with legal, leadership, and other business stakeholders.

Hunting and Advanced Threat Detection

The Hunt team focuses on identifying advanced threats that evade reactive detection. This proactive team leverages Microsoft Defender XDR and other tools to hunt for undetected attacks, providing escalations and advanced forensics.

Hypothesis-Driven Approach: Hunting teams develop hypotheses based on potential threat scenarios and actively search for signs of compromise that have not yet triggered alerts.

Improving Detections: By reviewing closed cases, the Hunt team refines detection methods and automation to better identify emerging threats in the future.

How It All Comes Together

The following is a common incident lifecycle within an XDR environment:

Triage: An analyst claims an alert (for example, malware) and initiates an investigation using the XDR console.

Escalation: If the malware requires advanced remediation, such as device isolation, the incident is escalated to the Investigation team.

Investigation: The Investigation team digs deeper into the incident, performing any necessary remediation.

Hunting: The Hunt team reviews past incidents to identify patterns, refine detections, and improve processes for future threats.

Threat Intelligence

The Threat Intelligence team plays a pivotal role in supporting all SOC functions. They provide technical research for active incidents, proactive intelligence on attacker trends, and strategic insights that inform business decisions and security processes.

Exploring Microsoft Security Graph

Microsoft Graph is a unified API that provides access to a broad range of data and services across Microsoft 365, Windows, and Enterprise Mobility + Security. Using the Microsoft Graph API, developers can create custom applications for security, compliance, identity, and other operational needs by accessing data from these services.

The API uses the endpoint https://graph.microsoft.com, which can be accessed via REST APIs or SDKs. Through this single interface, you can interact with various Microsoft services, making it easier to build integrated solutions that automate and streamline tasks within an organization.

Figure 1.5: Microsoft Graph Security API

Understanding Microsoft Graph

Microsoft Graph exposes a wide variety of services across different Microsoft platforms. These include:

Microsoft 365 Core Services: Access to services such as Bookings, Calendar, Delve, Excel, OneDrive, Outlook/Exchange, SharePoint, Teams, Viva Insights, and more.

Enterprise Mobility + Security: This includes key security tools such as Advanced Threat Analytics, Microsoft Defender services, Microsoft Entra ID (formerly Azure Active Directory), and Intune for device management.

Windows Services: Covers activities, devices, notifications, and Universal Print.

Dynamics 365: Includes Business Central services.

Microsoft Graph Security API

The Microsoft Graph Security API serves as a centralized point for integrating security services and data from multiple Microsoft security providers. It acts as a broker, federating requests to these security providers and aggregating the results into a consistent format. This simplifies the development of solutions that access security alerts and threat intelligence across services.

Key Features of Microsoft Graph Security API:

Security Alert Integration: Pull in security alerts from multiple Microsoft services (for example, Microsoft Defender, Microsoft Sentinel).

Stream Alerts to SIEM: Seamlessly connect and stream security alerts into SIEM systems for centralized monitoring.

Automate Threat Management: Automatically send threat indicators to enable security actions such as alerting, blocking, or allowing based on the threat intelligence.

Contextual Data: Unlock rich context for investigations by correlating security data across services.

Security Automation: Streamline and automate Security Operations (SecOps) tasks, increasing operational efficiency.

Using the Microsoft Graph Security API

There are two versions of the Microsoft Graph Security API available:

Microsoft Graph REST API v1.0: The stable and production-ready version.

Microsoft Graph REST API Beta: The preview version for trying out new or upcoming features. As this is in beta, it may introduce breaking changes without notice.

Both versions of the API support advanced threat hunting through the runHuntingQuery method, which uses Kusto Query Language (KQL) to run security investigations across Microsoft services.

With the runHuntingQuery method, Security Operations Analysts can develop custom queries to search for threats, analyze logs, and investigate suspicious activities across the enterprise. This capability enhances threat detection and allows analysts to perform deep dives into security events and alerts, leading to faster response times and more effective incident management.

Strategies for Incident Management and Response Using Microsoft Defender XDR

As a Security Operations Analyst at an organization that has implemented Microsoft Defender XDR solutions, your primary workspace for managing security operations is the Microsoft Defender portal. This centralized hub (available at https://security.microsoft.com) provides a unified view of threats across your environment, consolidating alerts and incidents from Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and more. The portal allows you to quickly investigate incidents, understand the full scope of threats, and plan effective responses.

Key Features of the Microsoft Defender Portal:

The Microsoft Defender portal streamlines security operations by integrating multiple threat protection services into a single, user-friendly interface. Here is what it offers:

Unified View of Incidents: The portal pulls together signals from various Microsoft Defender XDR solutions, allowing you to view related alerts as a single incident. This helps you understand how threats entered the environment, what resources they affect, and their overall impact on the organization. With a consolidated view, you can perform root cause analysis and create comprehensive remediation plans.

Role-Based Access Control (RBAC): The portal adapts the information it presents based on the user’s role within the organization. As a security analyst, you will see data and reports that are most relevant to incident detection, investigation, and response, while administrators and other roles see information pertinent to their responsibilities.

Customizable Home Page: The Home page provides an overview of critical metrics and alerts through customizable cards. These give you at-a-glance information on your organization’s security posture, allowing you to stay informed on the latest activities and incidents.

Integration Across Defender Services: The portal brings together a variety of Microsoft Defender solutions, offering a single pane of glass for managing security operations across different domains. These include:

Microsoft Defender for Office 365: Helps protect email and Office 365 resources through prevention, detection, and investigation tools.

Microsoft Defender for Endpoint: Provides pre-breach prevention and post-breach detection, as well as automated investigation and remediation for endpoint devices.

Microsoft Defender for Cloud Apps: Protects your cloud applications through visibility, data control, and threat protection across SaaS and PaaS environments.

Microsoft Defender for Identity: Monitors on-premises Active Directory signals to detect and investigate compromised identities and insider threats.

Microsoft Defender Vulnerability Management: Continuously monitors assets for vulnerabilities and misconfigurations, enabling IT and security teams to prioritize remediation.

Simplified Investigation and Incident Management: With a unified view of related alerts and incidents, the portal facilitates detailed root cause investigations. Each incident contains relevant details from across the XDR suite, giving you a complete picture of the threat landscape, including the full attack chain and any impacted resources.

Automation and Remediation: Microsoft Defender XDR automates many aspects of threat detection and response. For example, Microsoft Defender for Endpoint (MDE) can automatically remediate threats or prompt security analysts for approval before initiating remediation. These automated workflows reduce manual effort and allow you to focus on more complex security issues.

More Resources in the Portal

In addition to Microsoft Defender XDR, the More resources section of the portal provides quick access to related Microsoft security tools and portals, including:

Microsoft Purview Compliance Portal: Manage compliance and governance needs.

Microsoft Entra ID: Manage user identities and enforce policies such as multifactor authentication.

Microsoft Defender for Cloud: Secure both Azure and non-Azure cloud workloads.

Azure Information Protection: Classify and protect sensitive information using labels and policies.

Manage Incidents in Microsoft Defender XDR

In Microsoft Defender XDR, incidents provide a cross-domain view of security threats by correlating related alerts across endpoints, identities, and applications. Incidents are automatically grouped into a single investigation to provide security defenders with a comprehensive view of an attack. This correlation helps security teams understand the entire attack chain, what tactics were used, and the impact across devices, users, and mailboxes. By managing incidents in the Microsoft Defender portal, defenders can prioritize their responses and streamline investigations.

Understanding Incidents

An incident in Microsoft Defender XDR represents a collection of related alerts from different sources such as endpoints, email, or identities that together tell the full story of an attack. Instead of analyzing individual alerts in isolation, incidents group these events to provide a broader picture of an attack’s progression.

For example, if a user’s credentials are compromised, this might generate alerts in Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. Microsoft Defender XDR aggregates these alerts into a single incident, showing the attack’s starting point, tactics used, and how far it has progressed through your network.

Prioritizing Incidents

Prioritizing incidents is critical for effective threat response. Microsoft Defender XDR applies correlation analytics to aggregate related alerts from different security products into one incident, allowing defenders to focus on high-priority threats.

The Incident queue in the Microsoft Defender portal shows incidents from the last 30 days, with the most recent at the top. The queue provides customizable columns to expose different aspects of each incident, such as the severity, source, and number of affected endpoints. This detailed view helps defenders prioritize incidents based on their potential impact.

For clarity, incident names are automatically generated using attributes such as detection sources, affected endpoints, and severity levels. This feature helps analysts quickly grasp the scope of an incident without needing to dig through each alert.

Filters for Incident Management

Microsoft Defender XDR provides several filtering options to help you manage and prioritize incidents effectively. These filters include:

Status: Filter incidents by their current status (Active, Resolved).

Severity: High-severity incidents require immediate attention, while lower-severity ones can be addressed later.

Incident Assignment: Show incidents assigned to you or handled by automation.

Multiple Service Source: Filter incidents involving alerts from multiple Microsoft Defender services (for example, Defender for Endpoint, Defender for Identity).

Categories: Focus on specific types of tactics or attack techniques.

Data Sensitivity: Check if sensitive data was targeted, especially if Microsoft Purview Information Protection is enabled.

Operating System: Filter incidents based on affected OS platforms.

Automated Investigation State: Filter based on the status of automated investigation tasks.

These filters allow for a focused approach, ensuring that incidents with the most significant potential impact are addressed first.

Managing Incidents

Managing incidents in Microsoft Defender XDR involves various tasks, including editing incident names, assigning incidents to analysts, and classifying alerts. Here are some key features of incident management:

Edit Incident Name: Incident names are automatically generated based on alert attributes, making it easier for analysts to understand the scope of the incident. However, security teams can rename incidents to align with internal naming conventions or add clarity for future investigations.

Assign Incidents: Unassigned incidents can be assigned to individual analysts by selecting the Assign to me option. This feature ensures ownership over the incident and any associated alerts, allowing analysts to manage the investigation from start to finish.

Set Status and Classification: You can update an incident’s status as it progresses, marking it as Active or Resolved. Once an incident is resolved, all associated alerts are automatically closed, ensuring that no alerts remain open unnecessarily.

Classification helps the team learn from previous incidents. By marking incidents as True Alerts or False Alerts, teams can identify patterns in the data and fine-tune their detection capabilities.

Add Comments and Incident Tags: Analysts can add comments to an incident to record investigation details, such as steps taken or observations made during the process. This collaboration helps team members stay updated on the investigation’s progress and see the historical changes made to an incident.

Adding incident tags is another way to manage incidents. Tags can be used to group incidents with similar characteristics, making it easier to filter and review incidents during future investigations.

Preview Incidents: The Microsoft Defender portal provides preview information for incidents, allowing quick access to essential details without leaving the queue. This preview includes three main areas:

Circle: Clicking the circle icon opens a detailed window on the right side, providing an incident overview.

Greater than symbol: Clicking the symbol shows related records for the selected incident.

Link: Selecting the link navigates to the full incident details page.

Investigating Incidents in Microsoft Defender XDR

In Microsoft Defender XDR, the Incident page is your central hub for investigating security incidents, offering detailed insights into the attack’s scope, progression, and remediation efforts. By grouping correlated alerts from various security sources, such as Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365, you gain a comprehensive view of the incident, making it easier to assess, prioritize, and respond to threats.

Incident Overview

The Overview page provides a quick snapshot of the key details about the incident, which is essential for an initial triage. It helps you quickly understand how the attack unfolded, what assets were impacted, and what steps need to be taken.

Attack Categories: Aligned with the MITRE ATT&CK™ framework, this section visually displays the stage of the attack within the kill chain. This allows you to see how advanced the attack has progressed across various tactics and techniques.

Scope Section: Lists the top impacted assets, including devices and users. You can also view key details such as risk level, investigation priority, and tags associated with these assets, providing additional context.

Alerts Timeline: Displays a chronological timeline of the alerts that were generated, showing how the attack unfolded and why specific alerts are linked together. This can help you quickly understand the sequence of events.

Evidence Section: Summarizes the various artifacts involved in the incident, including files, processes, and emails. It also provides their remediation status, helping you identify if any actions are pending or need your attention.

The overview offers a clear, high-level view of the incident’s critical components, assisting in rapid decision-making and prioritization.

Alerts

The Alerts tab shows all the alerts associated with the incident, including severity, affected entities (devices, users, mailboxes), and the security product (for example, Defender for Identity, Defender for Endpoint) that triggered the alert.

Alerts are ordered chronologically by default, allowing you to see how the attack unfolded over time.

Clicking on an alert takes you to the alert detailspage, where you can conduct a deeper investigation into that specific alert and determine its role within the broader incident.

Devices

The Devices tab lists all the endpoints involved in the incident.

By selecting the device name, you can navigate to the Devicepage, where you can view all the alerts and events associated with that specific device. This helps focus on the role each endpoint played in the attack and allows for targeted investigation and remediation.

Users

The Users tab shows all users linked to the incident.

Clicking a user’s name navigates you to their Microsoft Defender for Cloud Appspage. This page offers a deeper investigation into that user’s activity, helping identify if their account was compromised or involved in malicious actions.

Mailboxes

The Mailboxes tab lists all email accounts involved in the incident. You can investigate how email might have been used in the attack—whether as a point of entry through phishing or as a method for lateral movement or data exfiltration.

Apps

The Apps tab allows you to investigate applications that were involved in the incident, giving insight into any potential vulnerabilities or misconfigurations in cloud or on-premises applications.

Investigations

In the Investigations tab, you can see all the automated investigations that were triggered by alerts in the incident.

Each investigation details whether remediation actions were automatically performed or if any steps are pending analyst approval.

By selecting an investigation, you can view the Investigation detailspage, where you can track the progress and status of automated responses. Pending actions will appear under the Pending actions tab, allowing you to approve or reject further remediation steps.

Evidence and Responses

Microsoft Defender XDR provides automated investigation and remediation for supported events, presenting you with actionable insights on important files, processes, services, emails, and more. Each entity involved in the incident is assigned a verdict (for example, Malicious, Suspicious, Clean) and a remediation status (for example, Remediated, Pending).

This helps you quickly assess which parts of the incident still require attention and what remediation actions have already been completed. You can take further actions to ensure the incident is fully addressed.

Graph

The Graph provides a visual representation of the cybersecurity attack, showing how various components of the incident are linked together. It helps you understand the entry point, where and how the attack spread, and which indicators of compromise were observed.

You can click on nodes within the graph to drill down into specific details, such as a malicious file’s detection history, the devices it impacted, and whether it has been observed within your organization or elsewhere globally.

This visualization is particularly helpful in identifying patterns and correlations across different data points, giving you a more complete view of the attack’s progression.

Managing and Investigating Alerts in Microsoft Defender XDR

Managing and investigating alerts is a key responsibility for Security Operations Analysts using Microsoft Defender XDR. The Alert Management pane provides tools to categorize, prioritize, and track alerts, ensuring efficient response to potential threats. Here is a comprehensive guide to managing and investigating alerts in Defender XDR.

Alert Management Overview

You can manage alerts from the Alerts queue or the Alerts tab of a device page in Microsoft Defender XDR. Selecting an alert brings up the Alert Management pane, where you can view alert details, set metadata, assign alerts, and take action.

Severity Levels

Severity levels indicate the potential risk associated with an alert and help prioritize investigation efforts:

High (Red): Alerts related to advanced persistent threats (APTs) or malicious activities that pose a significant risk to the organization. Examples include credential theft tools, ransomware, or tampering with security sensors.

Medium (Orange): Alerts from endpoint detection and response that indicate suspicious post-breach behaviors, such as registry changes or execution of suspicious files.

Low (Yellow): Alerts associated with prevalent malware or non-malware hacking tools that may not pose an immediate threat to the organization.

Informational (Grey): Alerts that are not harmful but provide insights that can improve organizational security awareness.

Note: The severity of alerts in Microsoft Defender Antivirus (AV) and Defender for Endpoint differs. Microsoft Defender AV severity reflects the risk to an individual device, while Defender for Endpoint focuses on the broader organizational risk.

Categories

Alert categories are aligned with the MITRE ATT&CK framework, providing context about the tactics and techniques used in the attack. Categories include:

Collection: Data gathering for exfiltration.

Command and Control: Establishing communication with attacker-controlled infrastructure.

Credential Access: Stealing valid credentials.

Defense Evasion: Avoiding security detection and controls.

Discovery: Gathering information about the target network.

Execution: Launching attacker tools and malicious code.

Exfiltration: Transferring data out of the organization.

Exploit: Using exploit code to compromise systems.

Initial Access: Gaining entry to the network.

Lateral Movement: Moving across the network to access critical systems.

Malware: Backdoors, trojans, and other malicious software.

Persistence: Maintaining access to compromised systems.

Privilege Escalation: Gaining higher-level permissions.

Ransomware: Encrypting files and demanding payment for decryption.

Suspicious Activity: Unusual behaviors that may be indicative of an attack.

Unwanted Software: Potentially unwanted applications (PUAs) that degrade productivity or security.

Link to Another Incident

You can create a new incident from the alert or link it to an existing incident to streamline investigation efforts. Linking alerts allows analysts to correlate related activities and better understand the attack.

Assign Alerts

If an alert isn’t assigned, you can select Assign to me to take ownership. This helps ensure accountability and structured workflows within your security team.

Suppress Alerts

In some cases, you might need to suppress alerts that are known to be harmless (such as tools used for internal security testing). You can create suppression rules to prevent such alerts from appearing in the queue:

Suppress Alert on This Device: Suppresses alerts from a specific device.

Suppress Alert in My Organization: Suppresses alerts organization-wide for a specific tool or process.

These rules only apply to future alerts and won’t affect alerts already in the queue.

Change Alert Status

Alerts can be categorized as New, In Progress, or Resolved to help track their investigation progress:

New: Unreviewed alerts that require triage.

In Progress: Alerts under active investigation.

Resolved: Alerts that have been investigated and closed.

This status helps analysts and team leaders manage alert workflows and prioritize responses.

Alert Classification

You can classify alerts as true positive or false positive:

TruePositive: Confirmed as legitimate security incidents.

FalsePositive: Non-malicious activity incorrectly flagged as a threat.

Providing accurate classifications helps improve the quality of future alerts and reduce false positives.

Add Comments and View Alert History

The Comments and History section allows you to document investigation progress and see previous changes. Comments can be added in real-time and help maintain a clear audit trail of actions taken during the alert’s lifecycle.

Alert Investigation and Automated Response in Microsoft Defender XDR

Investigating alerts is a critical step in understanding security incidents and determining the appropriate response. Microsoft Defender XDR integrates automated investigation and remediation capabilities to efficiently manage security threats and alleviate the burden on security operations teams.

Alert Page Overview

When investigating alerts in Microsoft Defender XDR, start by selecting an alert from the Alerts queue. The Alert page displays essential details, including the alert title, affected assets, and the Alert story tree view. The Details pane provides additional information about the selected entities, and all related events and entities are listed in the Alert story.

Affected Assets: Displays the devices, users, mailboxes, and applications involved in the alert.

Alert Story: A timeline of events showing why the alert was triggered, related events, and other involved entities. Each entity is clickable and provides additional details for deeper investigation.

Investigate Using the Alert Story

The Alert story offers a comprehensive view of the incident by detailing the events before and after the alert and showing related entities such as devices, users, and mailboxes. Each entity in the Alert story is expandable, and selecting an entity shifts the focus of the Details pane to show more context about that entity.

Taking Action from the Details Pane

Once you select an entity, the Details pane updates to provide relevant historical information and actions specific to that entity. You can manage the entity directly from the Alert page, taking actions such as quarantining a file, isolating a device, or marking the alert as resolved.

Mark Alerts as Resolved

After completing your investigation, you can update the alert’s status. Mark it as Resolved, and classify it as either a True alert or a False alert. You can also add Suppress rules to avoid similar false alerts in the future.

True Alert: If the alert is legitimate, you can further classify it with a determination (for example, phishing, malware, and more).

False Alert: Suppression rules can be applied to prevent the alert type from appearing again if it is a known harmless event.

Manage Automated Investigations

Microsoft Defender XDR helps streamline security operations by utilizing Automated Investigation and Remediation (AIR) capabilities. These automated investigations allow your team to address threats efficiently while focusing on high-value tasks.

How Automated Investigations Start

When an alert is triggered (for example, detecting a malicious file on a device), a security playbook is activated, which launches an automated investigation. The investigation checks if the threat is present on other devices in the network and determines the severity of the threat.

Details of an Automated Investigation

During and after an investigation, you can access detailed information about its findings, such as the severity of threats and remediation actions. These details are organized under several tabs:

Alerts: Lists the alerts that initiated the