Forum Discussion
MikeP751860
Mar 30, 2023Brass Contributor
Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media
Hi,
In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts.
Is this something new from Microsoft as I cannot find any information on it?
Anyone able to help please?
Regards
Mike
- IainRPGreenCopper ContributorI have started seeing these with a customer too but I am unable to track them down. Issue is they are raising as a high causing too much noise for the SOC.
I am assuming no one has been able to track them down yet?- PittsburghPopeCopper ContributorI have a new case open with them as we've started to get new alerts. So far nothing but I'll update if we get some direction. So far, I've been unable to figure out how to turn off the out of box sensitive info types in Purview or tune the Smart Alert directly. Needless to say, we don't have any slovenian tax ID numbers in our environment.
- nbaker_2111Copper ContributorHi Mike,
We too have started getting these. I have been searching pretty hard to find information about them. I just found this today and I also found a page that does talk about SmartAlerts, a bit and wanted to share it with the community.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-microsoft-purview-information-protection-discovers-and/ba-p/3777181
You can find them talking about SmartAlerts in line item #3.
Hopefully this helps out. I know for me it did and I understand the system a bit more. However, you cannot tune these from my understanding... Nor have I found anywhere else that has talked about them.- ab1540Copper ContributorHas anyone found a way to tune these "smart" alerts or disable them?
- i-_-iCopper ContributorNo, I raised a ticket with MS, and they wasted 2 months assigning it to the wrong teams, that all misquoted old or out of date guides, they didn't understand the product.
I eventually gave up and created an automation rule to close them.
- i-_-iCopper Contributor
MikeP751860 We have the same across multiple clients.
I can't find any documentation on this either, why did it happen and where can we tune this?
- Bradley RodgersCopper Contributor
We started getting these a few days ago. Sure would be nice if Microsoft could explain what these are