Security teams everywhere face the same challenge: too many alerts, too little time. Microsoft Defender for Cloud is designed to reduce noise and highlight what matters most, but there’s a feature many SOC teams overlook—the alert feedback loop. This simple capability doesn’t just send input back to Microsoft. With the right process, your SOC can turn feedback into a measurable signal, helping track alert quality, analyst workload, and areas for tuning.
What Is the Alert Feedback Loop?
At the bottom of every security alert in Defender for Cloud, you’ll find a small feedback panel. It offers two options:
✅ Useful
❌ Not useful
You can also add a short comment explaining your choice. This information is sent to Microsoft to improve detection quality, but it’s also a valuable dataset for your SOC—if you capture and analyze it systematically.
The loop works in two directions:
- For Microsoft: Feedback helps refine their detection algorithms and machine learning models, improving accuracy globally.
- For Your SOC: Feedback creates a structured record of how analysts perceive alerts. Over time, this allows you to measure:
- Which alerts generate the most noise
- How much analyst effort is spent on “not useful” alerts
- Which categories of alerts are most valuable for your defense posture
How to Provide Feedback in the Portal
Getting started is simple:
- Go to Security Alerts
- Open Microsoft Defender for Cloud in the Azure portal.
- Select Security alerts.
- Open an Alert
- Choose any alert from the list to open its details pane.
- Provide Feedback
- Scroll to the bottom of the pane.
- Select Useful or Not useful.
- (Optional) Add a comment such as “Pen test activity” or “Service account login.”
- Submit
- Click submit and your feedback is logged.
💡 Pro tip: Train analysts to use consistent language in comments. This makes later reporting much easier.
Where SOC Teams Can See the Feedback
Here’s the part most teams miss: feedback isn’t just for Microsoft—it’s accessible for you too. SOC teams can read and analyze the feedback loop in the following ways:
1. In the Portal
- Each alert keeps the feedback you submitted.
- When you revisit an alert in the portal, you can see whether it was rated useful or not useful and read the analyst’s comment.
- This helps SOC leads review analyst decisions directly in context.
2. Through Continuous Export
- Use Continuous Export in Defender for Cloud to send alerts to Log Analytics, Event Hub, or a Storage Account.
- Feedback metadata is included with the alert record.
- From here, SOC teams can:
- Query feedback trends in Kusto Query Language (KQL).
- Build Power BI dashboards showing % useful vs. not useful alerts.
- Correlate feedback with analyst workload and alert categories.
3. Via APIs / PowerShell
- Feedback information can also be retrieved through the Az.Security PowerShell module or the Azure CLI.
- This is useful for teams that want to enrich ticketing systems (e.g. ServiceNow, Jira) with analyst feedback.
KQL example:
SecurityAlert
| where Feedback_s == "Not useful"
| summarize count() by AlertName, bin(TimeGenerated, 7d)Best Practices
- Make feedback mandatory: Analysts should always select useful/not useful when closing alerts.
- Standardize comments: Use a fixed set of tags like PenTest, AdminActivity, ServiceAccount to enable structured reporting.
- Standardize comments: Use a fixed set of tags like PenTest, AdminActivity, ServiceAccount to enable structured reporting.
- Review monthly: SOC leads should review feedback trends alongside MTTR and incident closure rates.
- Close the loop internally: Use feedback data in Power BI dashboards to prioritize tuning efforts.
Conclusion
The Defender for Cloud alert feedback loop is more than just a button at the bottom of an alert. It’s a mechanism to improve global detection models and a tool for your SOC to measure the quality of its alerts. By capturing, analyzing, and reporting on feedback, you transform subjective analyst clicks into a powerful signal for continuous improvement.
So next time you investigate an alert, don’t just resolve it—close the loop.
