updates

Author: diannegali

defender-xdr/irm-investigate-alerts-defender.md

@@ -131,9 +131,9 @@ The following alert classification mapping is used to sync the alert classificat
 
 |Microsoft Defender alert classification|Microsoft Purview Insider Risk Management alert classification|
 |:---|:---|
-|True positive|Confirmed|
-|Information, expected activity (benign positive)|Dismissed|
-|False positive|Dismissed|
+|True positive </br> Includes multi-staged attack, phishing, etc.|Confirmed|
+|Information, expected activity (benign positive) </br> Includes Ssecurity testing, confirmed activity, etc.|Dismissed|
+|False positive </br> Includes not malicious, not enough data to validate, etc.|Dismissed|
 
 For more information about alert statuses and classifications in Microsoft Defender XDR, see [Manage alerts in Microsoft Defender](investigate-alerts.md#manage-alerts).