Forum Discussion
No option to tune analytics rule with Microsoft 365 Defender connector
Greetings, i have been working with a few different customers and when trying to configure the Defender for O365 alert "Email messages containing malicious URL removed after delivery", however there is no option to add exlucions and minor tweaks to the analytics rule as it used to be when not connected via the Microsoft 365 Defender connetor.
The option to click "Create incidents based on *product name* alerts" does not exist after activating the Microsoft 365 Defender connector. Is there any way to do similar tuning anyway? I wish to not make informational incidents like the email messages, but still recieve the alert in the background and rather create an incident if more that 20+ of the same alert is recieved.
- You can't update those rules as it uses an integrated bi-directional sync engine.
The best way is to use automation rules to update these incidents based on certain conditions.
7 Replies
- The discussion here was very informative , thanks.
- You can't update those rules as it uses an integrated bi-directional sync engine.
The best way is to use automation rules to update these incidents based on certain conditions.Thijs Lecomte So the best way of solving this particular issue is to turn of the Microsoft 365 Defender connector for now and keep the connectors as they are separated. Since the M365 Defender connector is in preview i suppose there might be hope for this functionality in the future.
- I prefer to keep the preview connector enabled as it has the incident bi-directional sync which is a huge benefit.
I haven't heard of any changes which would solve your issue. I guess the solution is automation rules... I don't think this will change
