πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 1
Domain 1 β€” Module 6 of 12 50%
6 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 1: Manage a Security Operations Environment Premium ⏱ ~11 min read

Defender XDR: Tune Your Alerts

A noisy SOC is an ineffective SOC. Learn how to configure email notifications for incidents and threat analytics, tune alert correlation, and create suppression rules in Microsoft Defender XDR.

Why alert tuning matters

β˜• Simple explanation

Imagine a smoke detector that goes off every time you make toast. After a few weeks, you stop running to check. That’s alert fatigue β€” and it’s the number one enemy of a SOC.

Defender XDR generates alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and more. Without tuning, your analysts drown in noise and miss the real threats hiding in the flood.

Alert tuning has three parts: email notifications (who gets notified about what), suppression rules (silence known false positives), and correlation (group related alerts into a single incident instead of 15 separate ones).

Microsoft Defender XDR correlates alerts from multiple security products into unified incidents. However, the default configuration produces significant noise. Alert tuning involves:

  • Email notification rules β€” configure who receives email alerts for new incidents, completed automated actions, and threat analytics reports
  • Alert tuning β€” adjust alert classification, suppress known false positives, and configure correlation settings
  • Suppression rules β€” automatically suppress or resolve alerts matching specific criteria (alert title, MITRE technique, device group, user, etc.)

Effective tuning reduces alert volume by 40-70% while maintaining detection coverage β€” a common exam theme.

Email notifications

Defender XDR sends three types of email notifications:

1. Incident notifications

Notify specific people or groups when new incidents are created.

ConfigurationOptions
RecipientsEmail addresses (individuals, distribution groups, mail-enabled security groups)
Severity filterHigh, Medium, Low, Informational (select one or more)
Device group filterNotify only for incidents involving specific device groups
Service sourceFilter by product (MDE, MDO, MDI, MDCA)

2. Action notifications

Notify when automated investigation and response (AIR) completes an action β€” remediation succeeded, pending approval, or failed.

3. Threat analytics notifications

Notify when Microsoft publishes new threat analytics reports β€” intelligence on emerging threats, campaigns, and vulnerabilities.

πŸ’‘ Scenario: James configures notifications for Pacific Meridian

James at Pacific Meridian sets up tiered notifications:

  • SOC team (all analysts) β†’ High-severity incidents from all products
  • Security leads (James + Sarah) β†’ High and Medium severity + all AIR actions needing approval
  • CISO β†’ Threat analytics reports only (strategic awareness, not operational noise)
  • Server team β†’ Incidents involving the β€œServers” device group only

This ensures the right people see the right alerts without everyone getting everything.

Alert suppression rules

Suppression rules automatically handle alerts that are known false positives or expected behaviour. Instead of analysts manually closing the same alert 50 times a day, a suppression rule does it automatically.

What you can suppress on

CriteriaExample
Alert titleSuppress β€œSuspicious PowerShell command line” when it matches a known admin script
MITRE ATT&CK techniqueSuppress all T1059 (Command and Scripting Interpreter) alerts from a specific device group
Device groupSuppress certain alerts from the β€œBuild Servers” group (expected CI/CD behaviour)
UserSuppress alerts from a service account that performs automated tasks
File hash/nameSuppress alerts triggered by a known-good executable

Suppression actions

ActionWhat Happens
Hide alertAlert is created but hidden from the queue β€” still searchable in Advanced Hunting
Resolve alertAlert is automatically marked as resolved with a chosen classification
πŸ’‘ Exam tip: suppression vs tuning vs disabling

The exam distinguishes between:

  • Suppression rules β€” auto-resolve or hide specific alerts matching criteria. The detection still runs; the alert is just handled automatically.
  • Alert tuning (classification) β€” change the severity or classification of an alert type (true positive, false positive, benign true positive). Adjusts how analysts prioritise, not whether the alert fires.
  • Disabling a detection β€” turns off the analytics rule or detection entirely. This is rarely the right answer because you lose visibility.

If a question asks β€œhow to reduce noise from a known-safe activity,” the answer is usually suppression rule, not disabling the detection.

Alert correlation

Defender XDR automatically correlates alerts into incidents. Multiple related alerts become a single incident instead of separate items in the queue.

How correlation works

Defender XDR groups alerts when they share:

  • Entity overlap β€” same device, user, mailbox, or IP address
  • Time proximity β€” alerts occurring within a defined window
  • Attack chain logic β€” alerts that fit a known attack pattern (e.g., phishing email β†’ credential compromise β†’ lateral movement)

This correlation is platform-driven β€” Defender XDR handles it automatically based on its AI engine. You do not directly configure correlation rules or thresholds. However, you influence correlation indirectly through:

  • Entity mapping in custom detections and analytics rules (better mapping = better correlation)
  • Alert tuning (suppressing false positives means cleaner correlation)
  • Automated investigation triggers β€” which alert severities automatically start an investigation
Suppression removes noise; correlation organises what remains
FeatureAlert SuppressionAlert Correlation
PurposeRemove known false positives from the queueGroup related alerts into a single incident
Reduces alert count?Yes β€” alerts are hidden or auto-resolvedYes β€” 15 related alerts become 1 incident
Detection still runs?Yes β€” the detection fires, but the alert is handledYes β€” each alert still fires, they're just grouped
Configurable byAlert title, MITRE technique, device group, user, fileEntity overlap, time window, attack chain logic
Who manages itSOC analysts and leads create rules for known FPsMostly automatic; settings adjusted by SOC leads
πŸ’‘ Scenario: Anika reduces alert volume for a client

One of Anika’s MSSP clients at Sentinel Shield generates 200+ alerts per day. After analysis:

  • 60 alerts/day are PowerShell script executions from a known admin tool β†’ Anika creates a suppression rule matching the script hash
  • 40 alerts/day are 15 related alerts from the same phishing campaign β†’ already handled by correlation (grouped into ~3 incidents)
  • 30 alerts/day are low-severity informational alerts β†’ Anika adjusts email notifications to exclude Informational severity

Result: the analyst queue drops from 200+ to ~70 actionable items per day. Detection coverage is unchanged.

Question

What are the three types of email notifications in Defender XDR?

Click or press Enter to reveal answer

Answer

1. Incident notifications β€” new incidents by severity, device group, and product. 2. Action notifications β€” automated investigation results (success, pending, failed). 3. Threat analytics notifications β€” new Microsoft threat reports.

Click to flip back
Question

What is the difference between suppressing an alert and disabling a detection?

Click or press Enter to reveal answer

Answer

Suppression: the detection still runs, and the alert is created but automatically hidden or resolved based on criteria. Disabling: the detection rule is turned off entirely, and no alerts are generated. Suppression preserves visibility; disabling removes it.

Click to flip back
Question

How does Defender XDR correlate alerts into incidents?

Click or press Enter to reveal answer

Answer

By entity overlap (same device, user, mailbox, IP), time proximity (alerts within a time window), and attack chain logic (alerts fitting known attack patterns like phishing β†’ credential theft β†’ lateral movement).

Click to flip back
Knowledge Check

Anika's SOC team at Sentinel Shield receives 60 alerts per day from a known-safe admin PowerShell script. What is the best way to handle this?
Knowledge Check

James at Pacific Meridian wants his CISO to receive emails about emerging threat campaigns but NOT about individual incidents. Which notification type should he configure?

🎬 Video coming soon

Next up: Alerts are tuned. Now let’s automate the response β€” Automated Investigation and Response (AIR) handles the heavy lifting so your analysts can focus on what matters.

← Previous

Attack Surface Reduction & Security Policies

Next β†’

Automated Investigation & Attack Disruption

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.