cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Poor alert filtering capabilities?

SocInABox
Iron Contributor

‎Jan 12 2022 07:23 AM

‎Jan 12 2022 07:23 AM

Poor alert filtering capabilities?

MCAS portal has poor alert filtering capabilities.

Any thoughts on adding alert suppressions or something to make it more in line with the security.microsoft.com portal?

Sentinel has a new M365 Defender connector which pulls in all incidents from MCAS and Defender portals. However it's not desirable to have all of those incidents show up in Sentinel so good alert suppression is needed. MCAS portal is missing this.

816 Views
0 Likes
4 Replies
Reply
4 Replies
JaredPoeppelman

‎Jan 12 2022 07:35 AM

‎Jan 12 2022 07:35 AM

Re: Poor alert filtering capabilities?

The alerts from MDCA (formerly MCAS) are already surfaced in the Defender portal, so just manage them there. There is no need to manage them in both places.
0 Likes
Reply
SocInABox

‎Jan 12 2022 07:37 AM

‎Jan 12 2022 07:37 AM

Re: Poor alert filtering capabilities?

Hi jared,
alert suppression for mcas incidents isn't supported from the Defender portal.
that was my hope as well, but it's not supported.
0 Likes
Reply
JaredPoeppelman

‎Jan 12 2022 07:42 AM

‎Jan 12 2022 07:42 AM

RE: Poor alert filtering capabilities?

Ok, I misunderstood. Are you referring to what is currently done in the configuration of the policy where a detection can be scoped by user, group, IP, etc.?
0 Likes
Reply
SocInABox

‎Jan 12 2022 07:47 AM - edited ‎Jan 12 2022 07:48 AM

‎Jan 12 2022 07:47 AM - edited ‎Jan 12 2022 07:48 AM

RE: Poor alert filtering capabilities?

I guess some examples would help.
Say you get "admin activity from non-corporate IP" or "multiple failed user logins to an app"
You'd have to edit the policy directly rather than create suppression rules for certain conditions.

0 Likes
Reply