Blog Post

Security, Compliance, and Identity Blog
2 MIN READ

Microsoft Defender for Identity - new exclusion settings now in Public Preview

Ricky Simpson's avatar
Ricky Simpson
Icon for Microsoft rankMicrosoft
Sep 22, 2021

As part of ongoing efforts to make all experiences and features from Microsoft Defender for Identity available in Microsoft 365 Defender, the product group took the opportunity to not just lift and shift the exclusion configuration page, but to revamp the experience and make some new functionality available for security teams. This announcement confirms that these features are now available in public preview and will be made generally available soon.

 

So first of all, the new home for the exclusion settings can be found in the Settings area of Microsoft 365 Defender, under the Identities section:

 

 

Figure 1 - A screenshot of the Microsoft 365 Defender settings screen, highlighting the Identities section

 

And then you'll see Excluded entities on the left-hand menu:

 

 

 

Figure 2 - A screenshot of the Microsoft Defender for Identity settings area, with the Excluded entities section highlighted

 

Under Excluded entities are two separate options. One for Exclusions by detection rule which you will be familiar with if you've played about with exclusions in Defender for Identity before. Any of the current exclusions you have set up in the Defender for Identity portal will automatically be ported across to this area:

 

 

Figure 3 - An overview of any per-detection exclusions in the excluded entities area

 

You'll also see Global excluded entities, which is a new feature being introduced as part of this rollout. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection.

 

In both of these sections, you'll find a helpful search bar at the top of the screen. This quality of life improvement will help you quickly locate any particular detection that you're looking for. 

 

Figure 4 - A new search function at the top of each of the exclusion tables

 

Please check out the features for yourself in Microsoft 365 Defender (security.microsoft.com), and as always, we'd love your feedback on these changes. Please leave a comment here, and we'll strive to get back to you as quickly as possible. 

 

Updated Sep 22, 2021
Version 1.0
  • Hmm... I think we're still needing a more granular exclude rule set, where we can exclude a particular user account doing something to or on particular devices for particular rules. I.e., Ignore any alerts raised for svc_vulnerabilityscanner running on Server001 for the Remote code execution attempt rule but raise an alert if svc_vulnerabilityscanner attempts a Remote code execution on Server002. Globally excluding across all rules might mean we miss something?
  • dcoffrin's avatar
    dcoffrin
    Copper Contributor

    I've noticed our logs are full of MDI sensor errors when they attempt to connect to domains with which we have a domain trust. I assume excluding them here won't change this sensor behavior but will just exclude them from detections?