Excluding hosts from 'Unfamiliar Sign In Properties' Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-1405276%22%20slang%3D%22en-US%22%3EExcluding%20hosts%20from%20'Unfamiliar%20Sign%20In%20Properties'%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405276%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20have%20some%20hosts%20that%20are%20constantly%20being%20flagged%20as%20'risky%20sign-ins'%2C%20they%20are%20VC%20rooms%20using%20Teams%2C%20constantly%20being%20seen%20as%20coming%20from%20Microsoft%20IPs.%3CBR%20%2F%3E%3CBR%20%2F%3EDoes%20anyone%20know%20if%20its%20possible%20to%20exclude%20a%20range%20of%20hosts%20from%20the%20Sentinel%20alert%20'Unfamiliar%20Sign%20In%20Properties%3F%20As%20far%20as%20I%20can%20tell%20its%20not%20possible%2C%20but%20I%20am%20probably%20doing%20it%20wrong.%20The%20information%20to%20generate%20alert%20seems%20to%20be%20pulled%20from%20AAD%20IP%20and%20rolled%20up%20into%20the%20inbuilt%20Analytics%20rule%3A%20'%3CSTRONG%3ECreate%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%20alerts'%20%3C%2FSTRONG%3E%3CFONT%20face%3D%22inherit%22%3ERather%20than%20being%20an%20actual%20alert%20itself%20(%20I%20can't%20see%20it%20in%20Analytics%20%3C%2FFONT%3Eanyway%3CFONT%20face%3D%22inherit%22%3E).%20I%20can't%20seem%20to%20get%20at%20the%20alert%20query%20itself.%3C%2FFONT%3E%3CSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CFONT%20face%3D%22inherit%22%3EI%20can%20sign%20off%20the%20hosts%20as%20not%20risky%20in%20the%20Azure%20Identity%20Protection%2C%20but%20due%20to%20the%20large%20amount%20of%20different%20IPs%20its%20not%20catching%20it%20all.%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405323%22%20slang%3D%22en-US%22%3ERe%3A%20Excluding%20hosts%20from%20'Unfamiliar%20Sign%20In%20Properties'%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405323%22%20slang%3D%22en-US%22%3EBecause%20we%20cannot%20control%20the%20alerts%20from%20Identity%20Protection%2C%20there%20is%20no%20way%20to%20easily%20exclude%20hosts.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20create%20a%20Logic%20Apps%20which%20checks%20the%20hosts%20and%20then%20closes%20if%20they%20match%20a%20known%20one%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405338%22%20slang%3D%22en-US%22%3ERe%3A%20Excluding%20hosts%20from%20'Unfamiliar%20Sign%20In%20Properties'%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674001%22%20target%3D%22_blank%22%3E%40Spen5903%3C%2FA%3E%26nbsp%3BAs%20was%20just%20mentioned%2C%20you%20cannot%20automatically%20run%20a%20playbook%20for%20a%20non-scheduled%20alert%20type%20(please%20Microsoft%20have%20this%20ability%20soon!).%26nbsp%3B%20%26nbsp%3BYou%20can%20however%2C%20run%20the%20playbook%20when%20looking%20at%20the%20Incident's%20full%20details%20page%20when%20viewing%20the%20alert(s)%20that%20make%20up%20the%20Incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20option%20would%20be%20to%20have%20a%20Logic%20App%20run%20on%20a%20set%20schedule%20to%20check%20to%20see%20if%20there%20are%20any%20new%20alerts%20of%20the%20type%20you%20are%20looking%20for%20an%20then%20run%20the%20code%20to%20exclude%20the%20IP%20Address.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405353%22%20slang%3D%22en-US%22%3ERe%3A%20Excluding%20hosts%20from%20'Unfamiliar%20Sign%20In%20Properties'%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405353%22%20slang%3D%22en-US%22%3E%3CP%3EAh%20nightmare%20ok%2C%20thanks%20for%20the%20quick%20reply!%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi

We have some hosts that are constantly being flagged as 'risky sign-ins', they are VC rooms using Teams, constantly being seen as coming from Microsoft IPs.

Does anyone know if its possible to exclude a range of hosts from the Sentinel alert 'Unfamiliar Sign In Properties? As far as I can tell its not possible, but I am probably doing it wrong. The information to generate alert seems to be pulled from AAD IP and rolled up into the inbuilt Analytics rule: 'Create incidents based on Azure Active Directory Identity Protection alerts' Rather than being an actual alert itself ( I can't see it in Analytics anyway). I can't seem to get at the alert query itself.

I can sign off the hosts as not risky in the Azure Identity Protection, but due to the large amount of different IPs its not catching it all.


Thanks

3 Replies
Because we cannot control the alerts from Identity Protection, there is no way to easily exclude hosts.

You could create a Logic Apps which checks the hosts and then closes if they match a known one

@Spen5903 As was just mentioned, you cannot automatically run a playbook for a non-scheduled alert type (please Microsoft have this ability soon!).   You can however, run the playbook when looking at the Incident's full details page when viewing the alert(s) that make up the Incident.

 

Another option would be to have a Logic App run on a set schedule to check to see if there are any new alerts of the type you are looking for an then run the code to exclude the IP Address.

Ah nightmare ok, thanks for the quick reply!