Forum Discussion
exclude users from Suspected brute-force attack (Kerberos, NTLM)
Dear community,
within our environment we use group mailboxes for a lot of teams. the problem is that we get a lot of false positive alerts in Microsoft defender for identity and Cloud app security (monitoring tool). this happens because users can just click close on the prompt and still receive the mails in the mailbox. (the group mailboxes are disabled accounts)
I have seen that we can exclude computers and IP's but not the users, and the users is what we need.
policy name: Suspected brute-force attack (Kerberos, NTLM)
Does anybody have some idea's or solutions?
Kind regards,
Jeroen Borger
1 Reply
- Hi Jeroen,
The only option to exclude Users that I was able to find is by excluding them globally under Excluded Entities / Global Excluded Entities / Users in the MDI portal (which would of course prevent other alerts from being triggered for them). Otherwise, the per alert exclusion allows only Devices and IP Addresses, like you mentioned.
Can you pull a list of these users' machines and exclude them under devices perhaps?
