top of page

If Every Alert Is Important, None Are: Designing Security Reports That Drive Decisions

  • Writer: Derek Morgan
    Derek Morgan
  • 5 days ago
  • 6 min read

The 2025 Pulse of the AI SOC Report, based on responses from 739 security professionals, captured a familiar problem in one line: alert fatigue is a business problem. The cost shows up everywhere. Senior analysts quit. Detection rules go untuned because nobody has time to look at them. CISOs walk into board meetings carrying 40 page reports that nobody reads.


There is a simpler version of the same report. One page. Five numbers. Each number tied to a decision the reader is accountable for.


Most security teams have both versions. The 40 page export exists because the platform makes it easy to produce. The 1 page version exists because someone, at some point, sat down and decided what the report was for. That second decision is the work.


This article is for the security architect and the CISO who own that work together.



Table titled Audience by cadence by severity floor showing SOC to board reporting cadence, severity, and report length on blue header rows
The table outlines the reporting cadence, severity floor, and report length for different organizational audiences, showing how information is tailored from real-time updates for SOC analysts to quarterly material incident reports for the board.

Three design choices that separate a useful report from a useless one

Set severity before the report runs. Microsoft Defender XDR classifies every alert as Informational, Low, Medium, or High. The severity is driven by what kind of activity triggered the alert and how confident Microsoft Defender XDR is that the alert represents a true threat. High severity covers confirmed malware, ransomware, and successful exploits. Medium covers suspicious activity that needs analyst review. Low and Informational cover blocked attacks, routine admin actions, and minor events (Microsoft Learn, Investigate alerts in Microsoft Defender XDR).


A report that pulls every severity into a CISO dashboard buries the High severity stories under thousands of Informational rows. Severity floor is a design choice the architect makes before the query runs. A filter applied after the fact will not rescue a report that was scoped wrong from the start.


Pick metrics that name a decision. Volume metrics are easy to produce: alerts triaged, phishing emails blocked, sign in failures by user. The metrics worth shipping name a decision the reader can act on:

  • Mean time to detect (MTTD) and mean time to respond (MTTR). The decision: where to invest in detection engineering versus response automation.

  • Percent of incidents auto triaged by Microsoft Security Copilot. The decision: how many analyst hours the SOC can redirect to threat hunting.

  • Percent of analyst hours spent on confirmed incidents versus false positives. The decision: which detection rules to tune next.



Microsoft Defender Alerts page in dark mode showing 11 new alerts, including honeytoken and reconnaissance items in a table.
Dashboard view of Microsoft Defender, displaying various security alerts categorized by severity and type. The alerts range from low to high severity, including activities such as "Honeytoken authentication activity" and "Network mapping reconnaissance," with statuses marked as new.

Track queue shape over time. Defender XDR ships with built in alert tuning rules that suppress common benign activity without affecting automated investigation and response. Microsoft Security Copilot adds automated triage on top. The shape of the inbound queue changes every quarter as more activity moves to automation. Reporting has to follow that shift. If 60 percent of incidents close without human touch, the weekly SOC report should track the 40 percent that needed human review, and the false positive rate inside that 40 percent. Reporting against the full inbound count overstates throughput in the short term and understates risk to the CISO in the long term.


The business case for designing reports the right way

Three failure modes show up when reports do not drive decisions.


The first is wrong investment. Boards approve what they can see. A quarterly readout dominated by blocked phishing counts pushes the next budget cycle toward more email filtering. The identity gap that is actually the larger exposure stays unfunded.


The second is wrong risk posture. The Mandiant M-Trends 2026 report, covering calendar year 2025, put global median dwell time at 14 days, up from 11 the year before. M-Trends 2026 also reports internal detection rose to 52 percent in 2025, up from 43 percent in 2024, meaning roughly half of compromises are still surfaced by someone outside the affected organization. Dwell time is the most expensive metric in security operations because it scales lateral movement, which scales recovery cost. Stretching mean dwell time from 7 days to 30 days does not multiply cost linearly. It multiplies blast radius.


The third is analyst attrition. A SOC that spends 70 percent of its hours on false positives loses its senior people first. Replacement cost for a senior analyst typically runs between half and twice annual salary by the time recruiting, ramp, and lost productivity are accounted for (SHRM).


A short, sourced example of how reporting design changes the story. Defender XDR ships with built in alert tuning rules that suppress common benign activity without affecting automated investigation and response (Microsoft Learn, Investigate alerts in Microsoft Defender XDR). A weekly SOC report that queries the unfiltered alert queue counts the suppressed events as work. A report that queries the post tuning queue counts only what an analyst actually had to look at. Same telemetry. Two reports. Two completely different budget conversations.


A rubric you can apply this week

The rubric is 4 questions. Every report you produce should answer all 4 in 1 sentence each.

  1. Who reads it? Name the specific role. Team labels are too broad. A board reader is not a CISO is not a SOC lead.

  2. What decision does the reader make from it? If the answer is "be aware," kill the report.

  3. What cadence matches that decision? Real time for analyst queues. Daily for SOC operations. Weekly for SOC leadership. Monthly for CISO. Quarterly for the board.

  4. What severity floor does this audience need? Higher in the org chart means a higher floor.



Flowchart titled The 4 question decision flow with four blue steps and yellow numbered circles, ending Ship the report or Kill the report.
"The 4-Question Decision Flowchart: Analyzing Roles, Decisions, Cadence, and Severity to Determine the Viability of a Report."

Apply the audience matrix the same way every time. The SOC analyst works the real time queue at Informational and above, no static report. The SOC lead gets a daily 1 page view at Medium and above, plus a weekly 2 to 3 page view at Low and above for trend lines. The CISO gets a monthly 1 page view at High and above, with Medium severity included only as a trend. The executive committee gets a quarterly 1 page view at High only, scoped to investment decisions and risk acceptance. The board gets a quarterly half page to 1 page view of material incidents. Each tier's severity floor is set by what the reader can act on, which is why the analyst queue should never be the same artifact as a board readout.


That structure produces a short kill list of reports that almost always fail the test:

  • All alerts in the last 30 days. Unspecified reader, unspecified decision.

  • All sign in failures by user. Volume metric, no analyst action at scale.

  • Endpoint compliance percentage with no target. A number without a threshold is not a decision input.

  • Top users by data download volume outside an active investigation. Without context, this is surveillance.

  • Total alerts triaged. Replace with MTTD and MTTR.

  • Phishing emails blocked this month. The board reader cannot change the number.


The full rubric, the audience by cadence by decision type matrix, the recommended outcome metrics by audience, severity floor guidance grounded in the Microsoft Defender XDR severity model, and 2 starter templates (a board quarterly readout and a CISO monthly review) are on GitHub at the Cloud Harbor Consulting M365 Security Frameworks repository: github.com/Cloud-Harbor-Consulting-LLC/M365-Security-Frameworks/tree/main/Frameworks/Security-Reporting-Decision-Rubric. MIT licensed. Fork it, cut what does not apply, send a pull request if you would add a metric.


Closing

Reporting is a design discipline. Every report you keep should inherit a decision owner, a cadence, and a severity floor. Reports that fail any of those tests are overhead, and overhead in security operations costs analyst hours that should be going into detection engineering and threat hunting.


The business case is the same one the CISO has been making for years. Wrong reports produce wrong investments. Wrong investments stretch dwell time. Stretched dwell time multiplies recovery cost. Tightening the reporting layer is the cheapest single intervention available to a security program, because it costs almost nothing to kill a report, and the analyst hours it returns are the most expensive hours on the SOC payroll.


Pick one report this week. Run it through the 4 questions. If it fails, kill it. That is the whole exercise.

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page