List of triggers for different severity levels for alerts.

Hello Jvlivemicro,

Thanks for posting your question in Microsoft Q&A!

About Microsoft Defender XDR and Azure Sentinel decide whether an alert is High, Medium, or Low severity, and if there’s a complete list of triggers for each level.

The severity of an alert depends on two main things:

• What kind of activity triggered the alert. Some activities, like seeing known malware or ransomware, are serious and get a High severity. Others, like unusual sign-ins or minor suspicious actions, might be Medium or Low.
• How confident Microsoft is that the alert shows a real threat. Alerts with strong evidence get higher severity, while those that might be false alarms or less clear get lower severity.

Examples:

• High severity means something very suspicious or dangerous happened, like a malware infection or a successful exploit.
• Medium severity means something odd or suspicious that could be a threat, but more checking is needed.
• Low severity means something minor or informational, like a blocked attack or routine admin action.

Microsoft doesn’t publish a full list of all triggers and their severities because the system constantly updates with new threat intelligence and detections.

Here are some helpful Microsoft docs if you want to learn more:

• How alerts are classified: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview#how-are-alerts-classified
• How to investigate alerts in Defender XDR: https://learn.microsoft.com/en-us/defender-xdr/investigate-alerts
• How to automate handling alerts in Sentinel: https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules

Kindly let us know if the above helps or you need further assistance on this issue.