Forum Discussion

Sayooj_Santhosh's avatar
Sayooj_Santhosh
Copper Contributor
May 02, 2025

Optimisation For Abnormal Deny Rate for Source IP

Hi,

I have recently enabled the "Abnormal Deny Rate for Source IP" alert in Microsoft Sentinel and found it to be quite noisy, generating a large number of alerts many of which do not appear to be actionable.

I understand that adjusting the learning period is one way to reduce this noise. However, I am wondering if there are any other optimisation strategies available that do not involve simply changing the learning window.

Has anyone had success with tuning this rule using:

Threshold-based suppression (e.g. minimum deny count)?

Source IP allowlists?

Frequency filters (e.g. repeated anomalies over multiple intervals)?

Combining with other signal types before generating alerts?

Open to any suggestions, experiences, or best practices that others may have found effective in reducing false positives while still maintaining visibility into meaningful anomalies.

Thanks in advance,

alerts
analytics
azure
investigation
KQL
machine learning
siem

1 Reply

Sort By
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    May 06, 2025

    Hi, to keep the noise at bay on “Abnormal Deny Rate for Source IP” in Sentinel, try this:

    Raise the minimum threshold: trigger the alert only if an IP exceeds, say, 100 deny in 5 minutes.

    Put under suppression: prevent the same IP from generating repeated alerts within the same time frame.

    Exclude “good” ones: create a watchlist with IPs from your internal scanners or health-checks and filter those out.

    Ask for confirmation over multiple windows: trigger the alert only if the spike repeats in 2 of the last 3 time windows.

    Correlate it with other signals: add checks on failed logon, geolocation, or threat-intel to give weight only to really suspicious situations.

    Use grouping: enable Fusion or Sentinel's alert grouping to receive a single incident per IP instead of dozens of identical alerts.

    That way you reduce false positives and keep an eye on only the really abnormal traffic spikes.All VMs must have a vulnerability assessment extension supported (Qualys or Defender Vulnerability Management): agentless CSPM alone is not enough. Deploy the extension on all machines (manually or via Azure Policy “Deploy Qualys VM extension” or “Deploy Microsoft Defender Vulnerability Management”), verify that the Log Analytics agent and the Defender sensor are active, and wait a few minutes: the status will change to “Healthy.”

Resources