Forum Discussion
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have ...
Please check one of the following steps; it might help resolve the issue.
- Tag the Machine as "Pentest"
- In Microsoft Defender Security Center, go to Settings > Device Groups.
- Create a new device group and tag the machine used for pentesting.
- Use this tag in advanced hunting queries and exclusions.
- Create Automated Investigation & Response (AIR) Exclusions
- Go to Microsoft Defender Security Center.
- Navigate to Settings > Endpoints > Indicators.
- Add exclusions based on:
- IP addresses (the pentest tool's machine).
- User accounts (the accounts used for testing).
- Process paths (the executable files used).
- Custom Detection Rules to Auto-Resolve Alerts
- Use Advanced Hunting to identify recurring alerts triggered by the pentesting tool.
- Go to Microsoft 365 Defender > Hunting > Advanced Hunting.
- Write a KQL query to match known pentesting activities.
- Create an Automated Investigation Rule that sets alerts to resolved.
- Disable Defender's Automatic Blocking for the Pentest Machine
- If your tool is being blocked, add an exception for the pentest machine in Defender settings.
- Go to Settings > Endpoints > Attack Surface Reduction Rules.
- • Add exclusions for the specific actions being flagged.