Forum Discussion

NoobieInfoSec's avatar
NoobieInfoSec
Copper Contributor
Aug 29, 2022

Microsoft Sentinel Potentially malicious events - Flagging as Safe/Informational?

Is there a way to change the status of a potentially malicious event as safe so it no longer shows up on the map?      Also, is there a way to create some logic in Sentinel to say if any act...
  • AndrewBlumhardt's avatar
    Aug 29, 2022
    Several tables are enriched in the background using Microsoft's threat intelligence. This feature is not well documented. Most notably the CommonSecurityLog table. The number of supported tables is frustratingly limited. There is no option to customize.

    You can drill down on the map to see the KQL. You could use this to create a custom map in a workbook and even custom alerts. From there you could add exclusions and additions.

Resources