Optimisation For Abnormal Deny Rate for Source IP

Hi, to keep the noise at bay on “Abnormal Deny Rate for Source IP” in Sentinel, try this:

Raise the minimum threshold: trigger the alert only if an IP exceeds, say, 100 deny in 5 minutes.

Put under suppression: prevent the same IP from generating repeated alerts within the same time frame.

Exclude “good” ones: create a watchlist with IPs from your internal scanners or health-checks and filter those out.

Ask for confirmation over multiple windows: trigger the alert only if the spike repeats in 2 of the last 3 time windows.

Correlate it with other signals: add checks on failed logon, geolocation, or threat-intel to give weight only to really suspicious situations.

Use grouping: enable Fusion or Sentinel's alert grouping to receive a single incident per IP instead of dozens of identical alerts.

That way you reduce false positives and keep an eye on only the really abnormal traffic spikes.All VMs must have a vulnerability assessment extension supported (Qualys or Defender Vulnerability Management): agentless CSPM alone is not enough. Deploy the extension on all machines (manually or via Azure Policy “Deploy Qualys VM extension” or “Deploy Microsoft Defender Vulnerability Management”), verify that the Log Analytics agent and the Defender sensor are active, and wait a few minutes: the status will change to “Healthy.”