Today’s security teams are overwhelmed by security incidents. With thousands of signals pouring in daily, SOC analysts are often buried under noise - alerts and events, many of which are false or may be benign. Noise consumes precious time and focus, which can delay response to real threats and puts organizations at risk.
Microsoft Defender Experts manages and investigates incidents for some of the world’s largest organizations. We understand the challenges facing our customers and are always looking for ways to respond quicker and scale our services to meet their needs.
Teaching AI to think like a security expert
We're leveraging AI to help Defender Experts expand our services and respond even faster to threats facing our customers.
AI-based incident classification allows us to filter noise up front without compromising on detecting real threats. This AI-based capability is trained by security experts, built for precision, and designed to scale and act at speed.
Our approach doesn't just rely on static rules or traditional filtering. Instead, our AI is powered by insights from hundreds of thousands of real investigations conducted by Defender Experts security analysts. These investigations form a goldmine of expert knowledge—how analysts think, what signals they trust, and how they separate benign and false positives from true threats.
We use historical intelligence to evaluate each new incident. AI-based incident classification looks at various signals, such as evidence, tenant details, context from IOCs, and TI information. It assigns a similarity score based on those signals. By using a similarity algorithm, the AI-based system compares each new incident to known outcomes from the past—deciding whether it closely resembles true positives, false positives, or is benign. At a certain threshold, it confidently assigns the grade.
If the pattern matches past false positives, the system de-grades the incident as noise. If the pattern looks similar to a known higher-risk threat, it escalates it faster. This helps us focus first on what matters most— true, actionable threats, which results in quicker response times for our customers.
Human-centric and safe
We know that trust is everything in cybersecurity. So even though AI helps us filter noise, we've built guardrails to make sure no real threats are missed:
- Tiered decisioning: Incidents that are classified as noise are reviewed by Defender Expert analysts to ensure they match the classification and other criteria for noise.
- Feedback loops: For continuous learning, anything classified as noise is sent to an analyst for validation so that there are no accidental misses of true threats. The feedback from them continuously improves the system.
- Transparency: classification decisions are visible, helping analysts understand why something is marked as noise or not.
This approach strikes the right balance. AI does the heavy lifting up front, and our human security experts remain firmly in control of what is investigated.
Quicker response for our customers
AI-based incident classification in Defender Experts:
- 50% of noise is automatically triaged by AI-based incident classification with 100% precision
- Our experts respond faster to meaningful threats to our customer’s environment.
“We no longer waste time chasing dead ends. The system helps us focus on what truly matters and our customers appreciate how quickly we can respond.” — Defender Experts Tier2 Analyst
What’s next?
We’re continuing to refine this system with more granular risk scoring per entity, deeper tenant-based similarity correlation, IOC based weightage, and additional real-time feedback from Defender Experts analysts.
Final thoughts
AI alone isn’t the answer—but AI guided by experts is a force multiplier. With AI-based incident classification, Defender Experts is showing what the future of SOCs can look like: faster, smarter, safer, and scalable.
AI-based classification has helped reduce 50% of the noise from the analyst queue with 100% accuracy, saving analyst time so they can focus on what matters most.
If you're a Defender Experts customer, you’re already seeing the benefit of quicker response times to true security threats.
If you're a security leader struggling with alert overload, Microsoft Defender Experts for XDR, Microsoft’s MXDR (managed extended detection and response) service, can deliver around the clock, expert-led protection.
For more information, please visit Microsoft Defender Experts for XDR | Microsoft Security
Microsoft