Forum Discussion

Former Employee

Mar 25, 2019

New! Extending user based exclusions for alerts

You asked, we listened! In an effort to improve and enhance your experience using Azure ATP, you can now set alert exclusions that include users, along with other entities such as IP addresses,...

DanPan

Copper Contributor

May 20, 2021

Hi Tali Ash

We have a proxy service running, with service account svc-proxy, on server DTxxxxxxxx02

These activities generates “User and IP address reconnaissance (SMB)” alerts.

We do not want future alerts.

We added the svc-proxy to user exclusion “User and IP address reconnaissance (SMB)”

After we closed the alert, we still get alerts "An actor on DTxxxxxxxx02 enumerated SMB sessions on..."
In the evidence details it shows An actor = svc-proxy

Why do we still get these alerts after we excluded the user?
It seems the user only based exclusion for alerts is not working...

Remark: if we exclude both the user "svc-proxy" and computer "DTxxxxxxxx02" it works fine, no more alerts. But we don't want to exclude the computer too.

EliOfek
Microsoft
May 26, 2021
When looking at the evidence timestamps (Jan 5) , did they happen after you excluded by the user ?
- DanPan
  Copper Contributor
  May 28, 2021
  The timestamp is 1st May.
  Yes, they happen after I excluded the user and closed the previous alert.
  The content of the new alert changed from "svc-proxy on" to "An actor on".
  - EliOfek
    Microsoft
    May 30, 2021
    DanPan Please open a support case, export the alert data to excel and share with support.
    Generally, if you excluded the user account and indeed it was the same user that did this, we should not have reopened this alert.
    Note that in some cases we cannot tell who the user is, depending on exact traffic type, so in this case if the machine was not excluded, we will still fire the alert based on the machine.