﻿---
title: Microsoft Defender XDR Alert External Alerts
description: Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices. Microsoft Defender emits multiple update events for...
url: https://www.elastic.co/elastic/docs-builder/docs/3655/reference/security/prebuilt-rules/rules/promotions/m365_defender_alert_external_alerts
products:
  - Elastic Security
---

# Microsoft Defender XDR Alert External Alerts
Generates a detection alert for each Microsoft Defender XDR alert written to the configured indices. Microsoft Defender
emits multiple update events for the same alert over its lifecycle, all sharing a stable alert identifier. This rule
suppresses those update events so that a single, continuous Elastic alert is maintained per Defender alert rather than a
new alert per update. Enabling this rule allows you to immediately begin investigating Microsoft Defender XDR alerts in
the app.
**Rule type**: query
**Rule indices**:
- logs-m365_defender.alert-*

**Rule Severity**: medium
**Risk Score**: 47
**Runs every**: 1m
**Searches indices from**: `now-2m`
**Maximum alerts per execution**: 1000
**References**:
- [[https://docs.elastic.co/en/integrations/m365_defender](https://docs.elastic.co/en/integrations/m365_defender)](https://docs.elastic.co/en/integrations/m365_defender)

**Tags**:
- Data Source: Microsoft Defender XDR
- Use Case: Threat Detection
- Resources: Investigation Guide
- Promotion: External Alerts

**Version**: 1
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Setup


### Microsoft Defender XDR Alert Integration

This rule is designed to capture alert events generated by the Microsoft Defender XDR integration and promote them as Elastic detection alerts.
To capture Microsoft Defender XDR alerts, install and configure the Microsoft Defender XDR integration to ingest alert events into the `logs-m365_defender.alert-*` index pattern.

### Alert suppression and the Defender update lifecycle

Microsoft Defender writes multiple update events per alert during its lifecycle, all sharing the same stable identifier (`m365_defender.alert.id`, copied to `event.id`). This rule suppresses on that identifier so updates accumulate into one Elastic alert. Note the following alert suppression semantics:
- Suppression applies going forward from when the suppressing alert is created; it does not retroactively merge alerts created before the rule was enabled.
- Updates are aggregated into the existing alert only while that alert is open and within the suppression window. If an analyst closes the suppressing alert, a later Defender update will open a new Elastic alert.
- The suppression window (default 1 day) is tunable. Size it to your environment's typical Defender alert lifecycle; extending it keeps a single alert open longer but delays new-alert creation for late updates.


### Avoiding duplicate alerts

To avoid double-counting, enable either this alert-level rule or the Microsoft Defender XDR Incident External Alerts rule (incident-level), not both: a Defender incident's child alerts appear in both data streams. Choose incident-level for the least noise (one Elastic alert per Defender incident) or alert-level for finer-grained, per-alert triage.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).

## Investigation guide


## Triage and analysis


### Investigating Microsoft Defender XDR Alert External Alerts

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. The alert data stream (`logs-m365_defender.alert-*`) carries pre-correlated alerts already triaged by Defender. This rule promotes each Defender alert into an Elastic detection alert so analysts can investigate without leaving the app.
Microsoft Defender emits several update events for the same alert as its status, classification, and evidence evolve. Every update shares the same stable Defender alert identifier (`m365_defender.alert.id`, which the integration also copies into `event.id`). The rule groups on that identifier so subsequent updates accumulate into the existing Elastic alert rather than creating duplicates.
If you also collect Microsoft Defender alerts through the Microsoft 365 Unified Audit Log (`logs-o365.audit-*`) rather than the native integration data stream, the M365 Defender Alerts Signal (UAL) building block rule (rule_id: 054853f3-2ce0-41f3-a6eb-4a4867f39cdc) generates correlation signals from that source and can be used alongside this promotion rule.

### Possible investigation steps

- Review `m365_defender.alert.title`, `m365_defender.alert.category`, and `m365_defender.alert.threat_display_name` to understand what Defender detected.
- Pivot to the Defender portal using `m365_defender.alert.incident_web_url.original` for the full evidence graph, process tree, and remediation status.
- Examine the evidence fields under `m365_defender.alert.evidence.*` (host, file, process, user account, URL, sender) to scope the impacted entities.
- Check `m365_defender.alert.incident_id` to correlate the alert with its parent Defender incident and any sibling alerts.
- Review `m365_defender.alert.status` and `m365_defender.alert.classification` to see whether Defender has already resolved or classified the alert.


### False positive analysis

- Defender alerts are pre-correlated and tuned by Microsoft, so true false positives are uncommon. When they occur, confirm with the responsible team before excluding.
- Alerts involving known and trusted administrative tools, security assessments, or scheduled automation may be benign. Validate intent before adding an exception.
- Use `m365_defender.alert.classification` and `m365_defender.alert.determination` to filter out activity Defender itself has marked as a false positive.


### Response and remediation

- Isolate affected endpoints or disable affected accounts if malicious behavior is confirmed.
- Use the Defender portal to action native response options (quarantine, automated investigation, account remediation) for the alert.
- Investigate how the threat entered the environment and close any exploited gaps.
- Reset credentials for compromised accounts or escalate to incident response.
- Document the findings and tune the upstream Defender policy or add an Elastic exception as appropriate.


## Rule Query

```kuery
event.kind: alert and data_stream.dataset: m365_defender.alert
```