Forum Discussion
How can DLP alerts be filtered before reaching into Alerts and Incidents table in Sentinel?
Goal - how to stop dlp alerts before reaching to the tables. Not interested in using any automation or playbooks. There is a single data connector which has defender suite alerts. Even If, no dlp...
From your description it sounds like you are getting these alerts from the Microsoft 365 Defender connector.
The only way I know is to use an Automation Rule to action these. You could take an Action of "Change Status" to "Closed" as an example, adding a comments or even a Tag.
- Will it impact any ML in the Purview? DLP is owned by separate team not SOC. Is there a work around for this limitation?
- There is a bidirectional forwarding turned on, is it not still changing or impacting source-system?
- Correct, so if updating the source system where people may be working those Incidents is a concern.
Rather than changing Status you may want to set a tag - something like "This Alert mustn't be worked in Sentinel by the SOC or its Status changed".
Of course having open tickets in Sentinel isnt good, but the tagging might help - depending on how you deal with your Incidents. If you manage the tickets in a ITSM tool, then those often have other status or severities you can set that are not sync'd back to Sentinel.
wonder_wolf if its from M365 it's not the same as Purview. Personally I'd look at some of them and assess if you want to drop them in Sentinel. They will still be in the source system.
- Thank you indeed for your response. Is it the same for MDCA alerts since it also creates alerts info protection alerts that is also related to other teams?
