In Microsoft Defender for Cloud, security alerts are notifications generated when potential threats are detected across your Azure, hybrid, or multicloud resources. These alerts are produced by Defender for Cloud’s workload protection plans once you enable them for specific resource types (for example, virtual machines or other cloud services). When a threat or suspicious activity is identified, Defender for Cloud raises an alert that includes: - The affected resource or resources - A description of the issue or suspicious behavior - Recommended remediation steps Alerts are visible in the Azure portal for 90 days, even if the underlying resource has been deleted. This is intentional, because an alert can still indicate a possible breach that needs investigation. You can also work with alerts outside the portal: - Export them as CSV files for reporting or offline analysis - Stream them into SIEM, SOAR, or ITSM tools such as Microsoft Sentinel for centralized monitoring and response Defender for Cloud aligns alerts with the MITRE ATT&CK framework to give you context about the attacker’s likely intent and where the activity fits in a typical attack chain.

Defender for Cloud assigns a severity level to each alert so you can prioritize your response. Severity is based on two main factors: - What specifically triggered the alert - How confident Defender for Cloud is that the activity reflects malicious intent Here’s how to interpret each level: 1. High - Meaning: There is a high probability that the resource is compromised. - Confidence: High confidence in both the malicious intent and the underlying findings. - Example: Detection of a known malicious tool such as Mimikatz, commonly used for credential theft. - Recommended action: Investigate immediately and treat as a likely active threat. 2. Medium - Meaning: Activity is probably suspicious and might indicate compromise. - Confidence: Medium confidence in the analytic or finding, and medium to high confidence in malicious intent. - Typical source: Often machine learning or anomaly-based detections. - Example: A sign-in attempt from an unusual location. - Recommended action: Investigate promptly, validate whether the behavior is expected, and adjust controls if needed. 3. Low - Meaning: Activity might be benign or a blocked attack. - Confidence: Defender for Cloud is not confident enough that the intent is malicious; the activity may be normal. - Example: Clearing logs, which can be an attacker hiding tracks but is also a routine admin task. - Recommended action: Review in context, especially if similar alerts cluster together, but these are generally lower priority. 4. Informational - Meaning: On its own, the alert may not indicate a threat, but it can be important when correlated with other alerts. - Role in incidents: Informational alerts often add context inside a broader security incident. - Recommended action: Use them to enrich investigations rather than as standalone triggers for urgent response. By using these severity levels, your security team can focus first on high and medium alerts while still keeping an eye on low and informational alerts for patterns over time.

Defender for Cloud is designed to help security teams move from reacting to isolated alerts to understanding complete attack stories. 1. From alerts to incidents - A security incident is a collection of related alerts that together represent an attack or a meaningful security event. - Incidents give you a single view of what happened, which resources were affected, and how the attacker moved through your environment. - Some alerts in an incident may be low severity or informational on their own, but become important when viewed alongside other alerts. 2. Correlation across resources and tenants - Defender for Cloud correlates alerts and contextual signals across different resources and even across Azure subscriptions. - It uses AI algorithms to analyze sequences of alerts and identify prevalent attack patterns, rather than treating each alert as a standalone event. - This approach helps distinguish between random noise and a coordinated attack sequence. 3. Additional context for investigations - Incidents can include artifacts, related events, and other contextual information, depending on the threat type and your environment configuration. - This context helps analysts reach a verdict faster: is this a real threat, and what should we do next? 4. Reducing false positives and tuning detections Defender for Cloud relies on several ongoing efforts across Microsoft to improve detection quality: - Security research and data science teams continuously monitor the global threat landscape. - Threat intelligence is gathered from internal and external feeds, including Azure, Microsoft 365, consumer services like outlook.com and MSN.com, and shared intelligence from other providers. - Signal sharing across Microsoft’s cloud and on-premises services provides a broad telemetry base. - Detection tuning is performed by running algorithms on real customer datasets and validating results with customers. True and false positives are used to refine machine learning models. 5. Advanced analytics techniques To detect real threats that might be missed by traditional signature-based tools, Defender for Cloud uses: - Integrated threat intelligence to flag activity from known bad actors - Behavioral analytics to compare activity against known malicious behavior patterns derived from large datasets - Anomaly detection to build baselines specific to your environment and flag outliers that may represent security events All of this work happens behind the scenes, so you benefit from updated detections and improved correlation without needing to take manual action. The result is fewer isolated alerts to triage and a clearer view of the incidents that matter most.