Blog Post

Microsoft Defender XDR Blog
2 MIN READ

Boost your detection and response workflows with alert tuning

Idan_Pelleg's avatar
Idan_Pelleg
Icon for Microsoft rankMicrosoft
May 22, 2023

As cyber threats become more sophisticated and frequent, organizations need to be vigilant in monitoring their digital assets for potential security breaches.

 

Microsoft 365 Defender is an XDR platform that delivers a unified investigation and response experience and provides native protection across endpoints, hybrid identities, email, collaboration tools, and cloud applications with centralized visibility, powerful analytics, and automatic attack disruption.

 

Today we are excited to introduce alert tuning in Microsoft 365 Defender to help security teams detect and respond to potential security threats even more effectively.

 

Alert tuning enhances how organizations monitor alerts and incidents. It enables analysts to set specific criteria to resolve alerts automatically using different attributes such as user, device, file, or app for all Microsoft 365 Defender sources. This feature makes it easier to calibrate alerts and keep the list of active incidents focused on the most relevant and critical issues.

 

Figure 1: New alert tuning experience in Microsoft 365 Defender

  

Alert tuning is designed to help security teams streamline their incident response process by automating the resolution of common and repetitive alerts. This will allow analysts to focus on the most critical issues, rather than getting bogged down in routine tasks, while also helping organizations respond to potential threats faster.

 

In addition, it will help enhance the overall accuracy of alert notifications by setting specific criteria for alerts that are relevant to their environment. This will help reduce the number of false positives and further limit noise to ensure that analysts investigate and focus on prevalent security incidents instead.

 

The new alert tuning feature in Microsoft 365 Defender helps organization to better protect their digital estate against cyber threats by streamlining the incident response process and reducing false positives even further.

Start exploring this new feature today and find out how it can enhance your organization's detection and response process.

 

Learn more

 

 

 

Updated Oct 29, 2024
Version 2.0
  • tipper1510's avatar
    tipper1510
    Brass Contributor

    What permissions are required for this, as currently the Save option is greyed out?

  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor

    How could I configure alert tuning (or block the generation of alerts in some other way) for 50 phishing simulation domain names? Alert tuning has a powerful condition system but it seems a lot of manual work.

  • Hi

     

    We are trying to tune out AAD IDP alerts triggered by our students on domain "students.school.edu.au" but still want to get alerts from "school.edu.au" that relates to staff IDP risks (we have one tenant, 2 domains).

     

    Is this possible?

     

    We have configured a custom alert but are not getting any matches and its not auto-resolving. Alert config looks like:

    Triggering IOC of type "Account" with the following conditions:

    Account domain equals students.school.edu.au 
     
    Something I have noticed is when selecting tune alert for a specific AAD IDP alert and then selecting the student account as a filter, it highlights
    account domain - Equals - school.edu (missing the .au). Ive tried student.school.edu (no .au) and it isnt working either.
     
    Cheers.
  • SamP_1993 

    This shouldn't happen 🙂

    Let's take it onto a private channel to find the underlying cause of that. 

  • SamP_1993's avatar
    SamP_1993
    Copper Contributor

    Idan_Pelleg Yes, we have Microsoft 365 Defender connector in Sentinel, yet the alert gets triggered in Sentinel & does not get resolved. However, the alert in Defender gets resolved as a result of alert tuning.

  • SamP_1993 , assuming you are using the Microsoft 365 Defender connector in Sentinel, you should get the alert resolved in Sentinel.

    If this is not the case please let us know.

  • SamP_1993's avatar
    SamP_1993
    Copper Contributor

    Idan_Pelleg 

    We have implemented the Alert tune process for a recurring alert in Defender.

    It does resolves the alert as per the finetuning criteria but it creates a Sentinel Alert simultaneously which should not be possible as we are the resolving the alert at source then why should sentinel alert get trigger?