MDE Alert Policy Tuning

Occasional Contributor

Hello.

 

I was reviewing the default alert policies within MDE.  While some of these are worthwhile for security pros (e.g. "Unusual volume of deletions"), they appear to lack the ability to be tuned where expected processes can be excluded.  For example, I know the TEAMS.exe and MSEDGE.exe process does cache clean-up, so I'd like to have those excluded from the alert, but I still need to know if some other process that I don't expect is removing files.  Only the volume of alerts can be tuned or the alert can be turned off completely, which I see most people recommend.  Will there be any improvements to these default alert policies where they can be tuned at a more granular level?

 

Thanks for reviewing and commenting.

3 Replies

Hello @KB850VR . Have you looked at our suppression rule capabilities? This will enable you to suppress a specific alert based on conditions you specify. These conditions include device, device group, file hash, command line, folder path, etc.

doc: Manage Microsoft Defender for Endpoint suppression rules | Microsoft Docs

Let me try that again...I'll have to work with our MDE Admin on this as I don't have permissions in our environment to add those rules.  Based on what I see, it doesn't appear that default alert rules can be added to alert suppression rules, but let me work with my admin on this.

 

Thanks again!

Sounds good! Most alerts (including in-box alerts) should be able to be suppressed.