Forum Discussion
NoobieInfoSec
Aug 29, 2022Copper Contributor
Microsoft Sentinel Potentially malicious events - Flagging as Safe/Informational?
Is there a way to change the status of a potentially malicious event as safe so it no longer shows up on the map? Also, is there a way to create some logic in Sentinel to say if any act...
- Aug 29, 2022Several tables are enriched in the background using Microsoft's threat intelligence. This feature is not well documented. Most notably the CommonSecurityLog table. The number of supported tables is frustratingly limited. There is no option to customize.
You can drill down on the map to see the KQL. You could use this to create a custom map in a workbook and even custom alerts. From there you could add exclusions and additions.
NoobieInfoSec
Aug 30, 2022Copper Contributor
Thanks. I think I have found an OK solution to creating an alert when this specific event happens.
I just want to clarify though that there is no way to remove this potentially malicious event from showing up on the map like it does though, right? Even if we flag this IP Address or Coordinates as safe?
I just want to clarify though that there is no way to remove this potentially malicious event from showing up on the map like it does though, right? Even if we flag this IP Address or Coordinates as safe?
AndrewBlumhardt
Microsoft
Aug 30, 2022Correct. The dashboard reflects a union of the supported tables where malicious IPs are noted. Such a filter would need to be applied on the dashboard. It is an interesting visualization but no controls or alerts are included.