The Microsoft Defender ATP Alerts analytic rule aggregates alerts from Microsoft Defender ATP to improve alert correlation and risk-based analysis. The rule processes incoming alert data, filtering out clean verdicts to focus on potential threats. It extracts relevant fields from the alerts such as source, file name, severity, process command line, IP address, registry key, and signatures. The severity of the alerts is mapped to a risk score that dynamically adjusts in the Enterprise Security context. The MITRE techniques are annotated at search time, enhancing the detection's contextualization with threat intelligence. This analytic aims to combine Microsoft ATP alerts with other data sources for comprehensive security monitoring without directly detecting new activities from raw alert data.