cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

MikeP751860
Brass Contributor

‎Mar 30 2023 01:33 AM

‎Mar 30 2023 01:33 AM

Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

Hi,

 

In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts.

 

Is this something new from Microsoft as I cannot find any information on it?

 

Anyone able to help please?

 

Regards

 

Mike

5,259 Views
1 Like
7 Replies
Reply
7 Replies
Bradley Rodgers

‎Mar 30 2023 11:26 AM

‎Mar 30 2023 11:26 AM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

@MikeP751860 

We started getting these a few days ago.  Sure would be nice if Microsoft could explain what these are

0 Likes
Reply
i-_-i

‎Apr 04 2023 04:28 AM

‎Apr 04 2023 04:28 AM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

@MikeP751860 We have the same across multiple clients.  

I can't find any documentation on this either, why did it happen and where can we tune this?

0 Likes
Reply
nbaker_2111

‎Apr 04 2023 02:23 PM

‎Apr 04 2023 02:23 PM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

Hi Mike,

We too have started getting these. I have been searching pretty hard to find information about them. I just found this today and I also found a page that does talk about SmartAlerts, a bit and wanted to share it with the community.

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-microsoft-purview-...

You can find them talking about SmartAlerts in line item #3.

Hopefully this helps out. I know for me it did and I understand the system a bit more. However, you cannot tune these from my understanding... Nor have I found anywhere else that has talked about them.
0 Likes
Reply
ab1540

‎Jul 03 2023 12:05 AM

‎Jul 03 2023 12:05 AM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

Has anyone found a way to tune these "smart" alerts or disable them?
0 Likes
Reply
i-_-i

‎Jul 03 2023 12:22 AM

‎Jul 03 2023 12:22 AM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

No, I raised a ticket with MS, and they wasted 2 months assigning it to the wrong teams, that all misquoted old or out of date guides, they didn't understand the product.

I eventually gave up and created an automation rule to close them.
1 Like
Reply
IainRPGreen

‎Jul 06 2023 03:46 AM

‎Jul 06 2023 03:46 AM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

I have started seeing these with a customer too but I am unable to track them down. Issue is they are raising as a high causing too much noise for the SOC.

I am assuming no one has been able to track them down yet?
0 Likes
Reply
PittsburghPope

‎Jul 06 2023 01:21 PM

‎Jul 06 2023 01:21 PM

Re: Defender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media

I have a new case open with them as we've started to get new alerts. So far nothing but I'll update if we get some direction. So far, I've been unable to figure out how to turn off the out of box sensitive info types in Purview or tune the Smart Alert directly. Needless to say, we don't have any slovenian tax ID numbers in our environment.
2 Likes
Reply