Edit anomaly detection policy by excluding certain endpoints

Copper Contributor

Does anyone have insight or know of documentation (I have hunted through these discussions and the Microsoft documentation) related to 'Edit anomaly detection policy' to exclude a specific set of devices for a built-in detection policy? 

 

Currently, under Edit anomaly detection policy, I can select Scope > Specific users and groups ... where I'm able to create a filter for specified devices. There is an Include and Exclude checkbox and I'm not sure whether these will contradict when trying to exclude a group of devices.

 

Additionally, if there are other more efficient ways to do this rather than creating an Exclude filter within each anomaly detection policy, I'd love to know about it.

 

CloudAppExclude.PNG

1 Reply

Update and for reference in case someone searches for this in the future - I found documentation about including or excluding specific users or groups here: Create anomaly detection policies in Defender for Cloud Apps - Microsoft Defender for Cloud Apps | M...