Azure Defender Supression Rules - How to deal with them in Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-2400949%22%20slang%3D%22en-US%22%3EAzure%20Defender%20Supression%20Rules%20-%20How%20to%20deal%20with%20them%20in%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2400949%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3EI%20am%20currently%20dealing%20with%20Azure%20Defender%20(ASC)%20integration%20into%20Sentinel.%20We%20are%20supressing%20alerts%20like%20%22User%20agent%20detected%22%20in%20Defender%20because%20we%20cannot%20really%20do%20much%20about%20them.%20As%20single%20incidents%20in%20Sentinel%20it%20is%20still%20the%20same%20(we%20still%20cannot%20do%20sth%20about%20them)%2C%20but%20maybe%20they%20help%20Sentinel%20to%20detect%20a%20multistage%20attack.%20How%20would%20Sentinel%20treat%20those%20alerts%20if%20they%20reach%20Sentinel%20and%20we%20close%20them%20automatically%3F%20Will%20it%20still%20use%20them%20for%20correlation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20%26amp%3B%20Regards%3C%2FP%3E%3CP%3ERonja%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello all,

I am currently dealing with Azure Defender (ASC) integration into Sentinel. We are supressing alerts like "User agent detected" in Defender because we cannot really do much about them. As single incidents in Sentinel it is still the same (we still cannot do sth about them), but maybe they help Sentinel to detect a multistage attack. How would Sentinel treat those alerts if they reach Sentinel and we close them automatically? Will it still use them for correlation?

 

Thanks & Regards

Ronja

0 Replies