It's really unclear how I should use these options in most typical circumstances. For instance, someone attempted to login as one of our users, from another state. It wasn't the user, but the login was not successful due to MFA. So, the login wasn't technically compromised - the threat actor did not gain access to our tenant. But it wasn't "Safe" either - it was not initiated by an authorized user. Unless it was safe because it wasn't compromised? This is confusing!
I cannot simply dismiss the instance; I must choose compromised or safe. So, which is it?