Forum Discussion

leon_boers's avatar
leon_boers
Copper Contributor
Oct 04, 2023
Solved

Are exclusions in Defender for alerts only?

Greetings, I'm looking into the Detection Exclusions to reduce fasle positives in our environment. I couldn't clearly find if adding exclusions for specific rules only stops the alerts, or the log...
identity protection
  • elieelkarkafi's avatar
    elieelkarkafi
    Oct 04, 2023

    leon_boers if you want to suppress specific alerts in M365 Defender to reduce some false positive alerts, you need to create alert tuning rules (suppression rules) with specific conditions 

     

     

elieelkarkafi's avatar
elieelkarkafi
MVP
Oct 04, 2023

leon_boers if you want to suppress specific alerts in M365 Defender to reduce some false positive alerts, you need to create alert tuning rules (suppression rules) with specific conditions 

 

 

leon_boers's avatar
leon_boers
Copper Contributor
Oct 06, 2023

Thanks elieelkarkafi !

I've set up tuning and will monitor how that works.

 

for anyone else wanting to start tuning. if you select "tune alert" from the actual alert, you get pre-populated info (like host names etc) in the tuning drop-downs.

 

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Oct 06, 2023

    leon_boers Correct, that way to fine tune a specific alert with specific hostname , IP , etc.... 

    the other way is to create a tuning with more generic conditions 

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

Resources