This chapter covers Microsoft Defender for Endpoint alert triage, a critical skill for the SC-200 exam. Alert triage is the process of assessing, prioritizing, and responding to security alerts generated by Defender for Endpoint. Approximately 20-25% of SC-200 exam questions touch on alert triage, investigation, and response concepts. You will learn the mechanics of the triage process, how to use the Microsoft 365 Defender portal, and how to differentiate between true positives, false positives, and benign positives. Mastering this topic is essential for passing the exam and for real-world security operations.
Jump to a section
Defender for Endpoint alert triage is like an emergency room (ER) triage nurse assessing incoming patients. The nurse (alert triage engine) receives all patients (alerts) who arrive. Each patient has a set of symptoms (alert metadata: severity, device, user, process). The nurse uses a triage protocol (automated investigation and response) to quickly classify patients: those with life-threatening conditions (true positive, high severity) go straight to the operating room (automated remediation), those with minor issues (false positive, low severity) are sent home with advice (suppressed or dismissed), and those needing further evaluation (suspicious, medium severity) are sent to a specialist (manual investigation). The nurse also checks patient history (device timeline, user context) to avoid misdiagnosis. Just as the nurse must prioritize to save lives, a security analyst must triage alerts to stop attacks fast. The triage nurse doesn't treat the patient—they decide the next action. Similarly, Defender for Endpoint triage doesn't fix everything; it identifies which alerts need immediate action, which can wait, and which are harmless. The nurse's protocol is based on established medical guidelines (Microsoft's detection logic and threat intelligence). If the protocol is wrong, patients die; if the triage logic is misconfigured, attacks succeed.
What is Alert Triage in Defender for Endpoint?
Alert triage is the systematic process of evaluating incoming security alerts to determine their validity, severity, and required response. In the context of Microsoft Defender for Endpoint, triage involves using the Microsoft 365 Defender portal (formerly security.microsoft.com) to review alerts generated by the endpoint detection and response (EDR) system. The goal is to quickly identify genuine threats (true positives), dismiss false alarms (false positives), and prioritize incidents based on risk.
Defender for Endpoint uses a combination of behavioral sensors, cloud analytics, and threat intelligence to generate alerts. Each alert represents a detection of suspicious activity on a device. Alerts are grouped into incidents—a collection of related alerts that together tell a story of an attack. The triage process typically starts with the incident queue.
How Alert Triage Works Internally
When an endpoint triggers a detection, the sensor sends telemetry to the Defender for Endpoint cloud service. The cloud service applies machine learning models and rule-based logic to correlate events and generate an alert. The alert is assigned a severity (Informational, Low, Medium, High) and a category (e.g., Malware, Suspicious Activity, Exploit).
The alert appears in the Alerts queue in the Microsoft 365 Defender portal. The queue shows:
Alert title and description
Severity level
Status (New, In Progress, Resolved)
Investigation state (e.g., Running, No action taken)
Assigned to (analyst or automated)
Detection source (e.g., EDR, AV, ASR)
Device name and user
Time generated
An analyst can filter the queue by severity, status, detection source, or custom criteria. The triage process involves examining each alert to answer three questions: 1. Is this a real threat? (True positive vs. false positive) 2. What is the impact? (Scope: affected devices, users, data) 3. What action is needed? (Contain, remediate, or dismiss)
Key Components, Values, Defaults, and Timers
#### Alert Severity Levels - Informational: Not actionable but may be useful for auditing. Example: 'A process was added to startup.' - Low: Minor suspicious activity, often benign. Example: 'A potentially unwanted application (PUA) was detected.' - Medium: Suspicious activity that warrants investigation. Example: 'A file was executed from a suspicious location.' - High: Confirmed malicious activity requiring immediate action. Example: 'Ransomware behavior detected.'
#### Alert Status - New: Unreviewed alert. - In Progress: Analyst is investigating. - Resolved: Investigation complete. Resolution can be: - True Positive: Confirmed threat, action taken. - False Positive: Not a real threat. - Benign Positive: Real but harmless (e.g., admin tool used legitimately).
#### Investigation State - No action taken: Initial state. - Running: Automated investigation in progress. - No threats found: Automated investigation completed, no evidence of threat. - Remediation in progress: Automated remediation actions underway. - Partially remediated: Some actions succeeded. - Failed: Remediation failed. - Threat found: Automated investigation confirmed threat.
#### Default Timers - Automated investigation timeout: 60 minutes for most investigations. - Alert retention: Alerts are retained for 180 days in the portal. - Incident auto-closure: If no new alerts for 30 days, incident may auto-resolve (depending on tenant configuration).
Configuration and Verification Commands
While triage is primarily GUI-based, you can use advanced hunting queries to triage alerts programmatically. Example KQL query to list all high-severity alerts in the last 24 hours:
AlertInfo
| where Timestamp > ago(24h)
| where Severity == "High"
| project Timestamp, AlertId, Title, Severity, CategoryTo check automated investigation status:
AlertEvidence
| where Timestamp > ago(7d)
| where InvestigationId != ""
| project InvestigationId, AlertId, EntityType, EvidenceDirectionTo verify if a device is isolated:
DeviceInfo
| where Timestamp > ago(1h)
| where DeviceName == "target-device"
| project DeviceName, IsolatedInteraction with Related Technologies
Alert triage in Defender for Endpoint integrates with: - Microsoft Defender for Identity: Alerts from AD signals can be correlated. - Microsoft Defender for Office 365: Phishing alerts can appear in the same incident. - Microsoft Defender for Cloud Apps: App alerts can be triaged alongside endpoint alerts. - Microsoft Sentinel: Alerts can be forwarded to Sentinel for SIEM correlation and advanced analytics. - Automated Investigation and Response (AIR): AIR automatically triages alerts and can take remediation actions without human intervention. As an analyst, you can approve or reject these actions.
Triage Workflow Best Practices
Start with Incidents: Incidents group related alerts. Triage the incident, not individual alerts.
Prioritize by Severity: High severity first, then Medium, then Low. Informational can be ignored unless part of an incident.
Use Automated Investigation: Allow AIR to run before manual triage. It often resolves false positives and provides evidence.
Check Device Timeline: The device timeline shows all events leading up to the alert. This helps confirm if the activity is malicious.
Leverage Threat Intelligence: The alert page shows related indicators (IPs, domains, file hashes) and their reputation.
Classify Resolution Correctly: Always set the correct classification (True Positive, False Positive, Benign Positive) and determination (e.g., Malware, Phishing, Unwanted Software). This improves the detection engine.
Containment Actions: If a true positive is confirmed, use 'Isolate device' or 'Stop and quarantine file' from the alert page.
Common Triage Mistakes
Ignoring Medium severity alerts: Attackers often use low-and-slow techniques that generate Medium alerts. Always investigate Medium alerts if they are part of an incident.
Dismissing alerts without investigation: Use the 'Go hunt' feature to run a KQL query to confirm benign activity.
Not classifying alerts: Unclassified alerts remain in the 'New' state and clutter the queue. Always classify after review.
Over-relying on automation: Automated investigations can miss context. Always review AIR results before approving actions.
Access the Incidents Queue
Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com). Under 'Incidents & alerts', select 'Incidents'. The incidents queue displays all active incidents with their severity, number of alerts, and status. Sort by severity descending. Select the highest severity incident to begin triage. The queue auto-refreshes every 60 seconds by default. You can filter by time range, detection source, or tag.
Review Incident Summary
Click on an incident to open its summary page. The summary includes the incident title, severity, status, assigned to, and a timeline of events. Also shown are the impacted devices, users, and mailboxes. The 'Attack story' tab provides a visual graph of the attack chain. Review this to understand the sequence of events. Note the 'Investigation' state—if running, wait for completion before manual triage.
Analyze Alerts in the Incident
Under the 'Alerts' tab, you see all alerts grouped into this incident. Each alert has a title, severity, detection source, and status. Click an alert to open its details. The alert page shows: description, related evidence (files, processes, IPs), MITRE ATT&CK techniques, and recommended actions. Use the 'Open evidence' tab to see the raw telemetry. Check the 'Device timeline' to see preceding events. Look for patterns: multiple alerts from same device or user indicate a broader attack.
Classify and Determine Alert
After analysis, classify the alert. Click 'Manage alert' and set the 'Classification' to one of: True Positive, False Positive, Benign Positive. Then set 'Determination' (e.g., Malware, Phishing, Unwanted Software, Suspicious but expected). For True Positives, also select the appropriate 'Action' (e.g., Isolate device, Quarantine file). For False Positives, select 'No action needed'. This classification feeds back into the detection engine to reduce future false positives.
Contain and Remediate Threat
If the alert is a True Positive, take immediate containment actions. From the alert page, you can: 'Isolate device' (prevents communication with other devices, only allows connection to Defender cloud), 'Stop and quarantine file', 'Run antivirus scan', or 'Initiate automated investigation'. For network-based threats, you can block indicators (IP, URL, domain) from the alert. After containment, use 'Remediation actions' to clean the device. Always verify remediation success by checking the device timeline for clean events.
Enterprise Scenario 1: Large Financial Institution
A global bank with 50,000 endpoints uses Defender for Endpoint. The SOC team triages over 1,000 alerts daily. They use automated investigation to reduce the load—AIR handles 80% of alerts, mostly false positives from internal security tools. The remaining 20% require manual triage. The team configured custom detection rules to whitelist known admin tools (PowerShell, PSExec) used by IT. They also created a dashboard in the portal showing 'High severity incidents' and 'Pending automated actions'. One common issue: alerts for 'Suspicious PowerShell execution' from IT automation scripts. The team uses 'Benign Positive' classification with determination 'Suspicious but expected' to suppress these. Misconfiguration: When they first deployed, they set all alerts to 'Informational' severity, which caused the SOC to miss a real ransomware attack. They now enforce a policy that all alerts from 'Real-time protection' must be at least Medium severity.
Enterprise Scenario 2: Healthcare Provider
A hospital with 10,000 endpoints uses Defender for Endpoint integrated with Microsoft Sentinel. Their triage process starts in Sentinel, which ingests alerts from Defender. They built a playbook that automatically isolates any device with a 'Ransomware behavior detected' alert (High severity). The playbook also sends a Teams notification to the SOC. They triage Medium and Low alerts in the Defender portal. A common problem: alerts for 'Tampering with Defender settings' often occur when IT updates antivirus policies. They created a suppression rule to exclude alerts from IT-managed devices. Performance: With 500 endpoints, automated investigation completes in 5-10 minutes. With 10,000, it can take up to 30 minutes. They learned to let AIR finish before manual triage to avoid duplicate work.
Common Misconfigurations
Not setting alert suppression rules: Leads to alert fatigue. Use 'Alert suppression' in the advanced features to hide expected behavior.
Incorrect classification: Classifying a true positive as 'False Positive' weakens the detection engine. Always classify correctly.
Ignoring incident grouping: Manually triaging individual alerts instead of incidents leads to missing broader attack context.
SC-200 Exam Focus on Alert Triage
The SC-200 exam tests alert triage under objective 'Manage incidents and alerts' (Domain 1: Manage Microsoft Defender for Endpoint). Specific sub-objectives include: - 'Triage and investigate alerts' (1.1) - 'Classify and determine alerts' (1.2) - 'Manage automated investigations' (1.3)
Common Wrong Answers
'Always dismiss informational alerts': Wrong. Informational alerts may be part of an incident. The exam expects you to review them in context.
'Use the Alerts queue only': Wrong. The exam emphasizes using the Incidents queue first because incidents group related alerts.
'Set all alerts to Resolved after investigation': Wrong. You must set a classification and determination. Simply resolving without classification is incomplete.
'Automated investigation replaces manual triage': Wrong. Automated investigation aids triage but does not replace analyst judgment, especially for complex attacks.
Specific Numbers and Terms to Memorize
Severity levels: Informational, Low, Medium, High
Classification options: True Positive, False Positive, Benign Positive
Determination examples: Malware, Phishing, Unwanted Software, Suspicious but expected
Investigation states: No action taken, Running, No threats found, Remediation in progress, Partially remediated, Failed, Threat found
Alert retention: 180 days
Automated investigation timeout: 60 minutes
Edge Cases the Exam Tests
Alert from multiple devices: If an alert involves multiple devices, the incident will show them. The exam may ask how to view all affected devices.
Alert with no evidence: Sometimes an alert has no evidence due to data retention. The correct answer is to 'Go hunt' to query for related events.
Alert during off-hours: The exam may present a scenario where an alert is generated at 3 AM. The correct triage step is to check if automated investigation ran and approve or reject actions.
How to Eliminate Wrong Answers
If an option says 'Ignore the alert because it is Low severity', eliminate it—severity alone doesn't determine importance.
If an option says 'Isolate the device immediately without investigation', eliminate it—isolation is a containment step after confirmation.
If an option says 'Use the Microsoft 365 admin center', eliminate it—Defender for Endpoint is managed from security.microsoft.com.
The correct answer often involves 'Incidents' queue, 'Automated investigation', and 'Classification'.
Alert triage starts in the Incidents queue, not the Alerts queue.
Always classify alerts with Classification (True Positive, False Positive, Benign Positive) and Determination.
Automated investigation timeout is 60 minutes; if it exceeds, check for failures.
Alert retention in the portal is 180 days.
High severity does not guarantee a true positive; always investigate context.
Use 'Go hunt' to query for additional evidence when alert details are insufficient.
Containment actions like 'Isolate device' should only be taken after confirming a true positive.
These come up on the exam all the time. Here's how to tell them apart.
Manual Alert Triage
Requires analyst to manually review each alert
Analyst decides classification and actions
Time-consuming but allows nuanced judgment
Prone to human error and fatigue
Best for complex or novel attacks
Automated Investigation and Response (AIR)
Automatically investigates alerts using playbooks
Can take remediation actions without human input
Fast and scalable for high alert volumes
Limited by predefined logic and detection coverage
Best for known attack patterns and false positives
Mistake
All high-severity alerts are true positives.
Correct
High severity indicates potential impact, but it can still be a false positive. For example, a legitimate admin tool triggering a ransomware detection. Always investigate before acting.
Mistake
Automated investigation always resolves alerts correctly.
Correct
Automated investigation can miss context. For instance, it may classify a malicious script as 'no threats found' if the script is obfuscated. Analyst review is still required.
Mistake
You should resolve alerts by setting status to 'Resolved' without classification.
Correct
The exam requires you to set both Classification and Determination. Simply resolving without classification is incomplete and does not improve detection.
Mistake
Informational alerts never need review.
Correct
Informational alerts can be part of an incident. For example, a 'Process creation' informational alert may be the first step in an attack chain. Review them in incident context.
Mistake
Triage is only about individual alerts, not incidents.
Correct
The exam emphasizes incident-level triage. Incidents group related alerts, providing a complete attack story. Triage should start with incidents, not individual alerts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Start by going to the Microsoft 365 Defender portal (security.microsoft.com) and selecting 'Incidents' under 'Incidents & alerts'. Sort by severity and open the highest severity incident. Review the attack story, then examine each alert in the incident. Use the alert details, device timeline, and evidence to determine if it is a true positive, false positive, or benign positive. Classify the alert accordingly and take appropriate action (e.g., isolate device for true positives). Always set the classification and determination before resolving.
An alert is a single detection of suspicious activity on a device. An incident is a collection of related alerts that together represent an attack. Incidents provide a broader context, including the attack chain, impacted devices, and users. In triage, you should work with incidents because they give a complete picture. The exam expects you to triage at the incident level first.
Automated investigation should run first for all alerts. It quickly determines if there is a threat and can take automatic remediation actions. Manual triage is needed when automated investigation fails, returns inconclusive results, or when the alert is part of a complex attack that requires human judgment. The exam emphasizes letting AIR run before manual intervention.
After investigating and confirming that the alert is not a real threat, click 'Manage alert' and set Classification to 'False Positive'. Then set Determination to an appropriate value like 'Suspicious but expected' or 'Unwanted Software' if applicable. This feedback helps improve detection accuracy. Do not simply change status to 'Resolved' without classification.
Isolate device disconnects the device from the network except for communication with the Defender for Endpoint cloud service. This prevents the spread of malware and allows the device to be safely investigated. It is a containment action that should only be taken after confirming a true positive. The exam may test that isolation does not block communication with Defender cloud.
Alerts are retained for 180 days in the Microsoft 365 Defender portal. After that, they are no longer visible. However, you can export alerts or forward them to Microsoft Sentinel for longer retention. The exam may ask about retention duration.
Yes, you can use advanced hunting with Kusto Query Language (KQL) to query alert data. For example, to list all high-severity alerts in the last 24 hours: AlertInfo | where Timestamp > ago(24h) | where Severity == 'High'. This is useful for bulk triage or creating custom dashboards. However, the primary triage interface is the portal.
You've just covered Defender for Endpoint Alert Triage — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?