Forum Discussion

wonder_wolf's avatar
wonder_wolf
Copper Contributor
Nov 01, 2023

How can DLP alerts be filtered before reaching into Alerts and Incidents table in Sentinel?

Goal - how to stop dlp alerts before reaching to the tables. Not interested in using any automation or playbooks.

 

There is a single data connector which has defender suite alerts. Even If, no dlp alerts and incidents are enabled, it reaches to alert and incidents. No analytics rules are enabled. 

 

We have separate team for SOC and DLP under different organization, and every team needs to see their own alerts. How do we stop them reaching to the tables in Sentinel?  

detection
integration
investigation
monitoring
siem
soar

8 Replies

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Nov 01, 2023

    wonder_wolf 

     

    From your description it sounds like you are getting these alerts from the Microsoft 365 Defender connector.  

    The only way I know is to use an Automation Rule to action these.  You could take an Action of "Change Status" to "Closed" as an example, adding a comments or even a Tag.  

     

     

    • wonder_wolf's avatar
      wonder_wolf
      Copper Contributor
      Nov 01, 2023
      Will it impact any ML in the Purview? DLP is owned by separate team not SOC. Is there a work around for this limitation?
      • wonder_wolf's avatar
        wonder_wolf
        Copper Contributor
        Nov 16, 2023
        There is a bidirectional forwarding turned on, is it not still changing or impacting source-system?