Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Mar 30, 2023

Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

Hi,

 

In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts.

 

Is this something new from Microsoft as I cannot find any information on it?

 

Anyone able to help please?

 

Regards

 

Mike

  • IainRPGreen's avatar
    IainRPGreen
    Copper Contributor
    I have started seeing these with a customer too but I am unable to track them down. Issue is they are raising as a high causing too much noise for the SOC.

    I am assuming no one has been able to track them down yet?
    • PittsburghPope's avatar
      PittsburghPope
      Copper Contributor
      I have a new case open with them as we've started to get new alerts. So far nothing but I'll update if we get some direction. So far, I've been unable to figure out how to turn off the out of box sensitive info types in Purview or tune the Smart Alert directly. Needless to say, we don't have any slovenian tax ID numbers in our environment.
  • nbaker_2111's avatar
    nbaker_2111
    Copper Contributor
    Hi Mike,

    We too have started getting these. I have been searching pretty hard to find information about them. I just found this today and I also found a page that does talk about SmartAlerts, a bit and wanted to share it with the community.

    https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-microsoft-purview-information-protection-discovers-and/ba-p/3777181

    You can find them talking about SmartAlerts in line item #3.

    Hopefully this helps out. I know for me it did and I understand the system a bit more. However, you cannot tune these from my understanding... Nor have I found anywhere else that has talked about them.
    • ab1540's avatar
      ab1540
      Copper Contributor
      Has anyone found a way to tune these "smart" alerts or disable them?
      • i-_-i's avatar
        i-_-i
        Copper Contributor
        No, I raised a ticket with MS, and they wasted 2 months assigning it to the wrong teams, that all misquoted old or out of date guides, they didn't understand the product.

        I eventually gave up and created an automation rule to close them.
  • i-_-i's avatar
    i-_-i
    Copper Contributor

    MikeP751860 We have the same across multiple clients.  

    I can't find any documentation on this either, why did it happen and where can we tune this?

Resources