Forum Discussion
How can DLP alerts be filtered before reaching into Alerts and Incidents table in Sentinel?
Goal - how to stop dlp alerts before reaching to the tables. Not interested in using any automation or playbooks. There is a single data connector which has defender suite alerts. Even If, no dlp...
Will it impact any ML in the Purview? DLP is owned by separate team not SOC. Is there a work around for this limitation?
There is a bidirectional forwarding turned on, is it not still changing or impacting source-system?
- Correct, so if updating the source system where people may be working those Incidents is a concern.
Rather than changing Status you may want to set a tag - something like "This Alert mustn't be worked in Sentinel by the SOC or its Status changed".
Of course having open tickets in Sentinel isnt good, but the tagging might help - depending on how you deal with your Incidents. If you manage the tickets in a ITSM tool, then those often have other status or severities you can set that are not sync'd back to Sentinel.I have received suggestion of filtering at LAW table level by SME. Have you had experience doing that? To my knowledge, DCRs are only good for IaaS level/AMA agent level filtering?
