This video explains why incident classification is a core SOC habit in Microsoft 365 Defender—and how to do it quickly while triaging the incident queue. It breaks down true positives vs false positives and highlights a third option: informational/expected activity (like security testing), which helps avoid tuning detections the wrong way. The demo then shows the exact workflow: from the incident queue, open an incident side pane, select Manage incident, choose a determination (true-positive, informational, or false-positive), and add a comment to document the decision. It also covers how incident classification flows down to unclassified alerts automatically, and how to classify alerts individually via the alerts queue using Manage alert when you need more granularity.
We produced this as a workflow-first explainer—the kind that helps teams adopt a repeatable habit, not just understand a concept. We shaped the narrative around real triage pressure, captured the precise UI steps with clear callouts, and polished the edit so the process feels fast and doable. Final delivery includes closed captions, audio description, and thumbnails.
The inevitable sequels
Hollywood keeps stretching good ideas into progressively worse sequels. We don’t. These are the related videos—spiritual siblings of the one you just watched—as good or better than this video. Expect callbacks, new plot twists, and maybe even a scene-stealing cameo from a lower third.
