Forum Discussion
exclude users from Suspected brute-force attack (Kerberos, NTLM)
Dear community, within our environment we use group mailboxes for a lot of teams. the problem is that we get a lot of false positive alerts in Microsoft defender for identity and Cloud app securi...
Hi Jeroen,
The only option to exclude Users that I was able to find is by excluding them globally under Excluded Entities / Global Excluded Entities / Users in the MDI portal (which would of course prevent other alerts from being triggered for them). Otherwise, the per alert exclusion allows only Devices and IP Addresses, like you mentioned.
Can you pull a list of these users' machines and exclude them under devices perhaps?
The only option to exclude Users that I was able to find is by excluding them globally under Excluded Entities / Global Excluded Entities / Users in the MDI portal (which would of course prevent other alerts from being triggered for them). Otherwise, the per alert exclusion allows only Devices and IP Addresses, like you mentioned.
Can you pull a list of these users' machines and exclude them under devices perhaps?