Poor alert filtering capabilities?

Frequent Contributor

MCAS portal has poor alert filtering capabilities.

Any thoughts on adding alert suppressions or something to make it more in line with the security.microsoft.com portal?

Sentinel has a new M365 Defender connector which pulls in all incidents from MCAS and Defender portals. However it's not desirable to have all of those incidents show up in Sentinel so good alert suppression is needed. MCAS portal is missing this.

4 Replies
The alerts from MDCA (formerly MCAS) are already surfaced in the Defender portal, so just manage them there. There is no need to manage them in both places.
Hi jared,
alert suppression for mcas incidents isn't supported from the Defender portal.
that was my hope as well, but it's not supported.
Ok, I misunderstood. Are you referring to what is currently done in the configuration of the policy where a detection can be scoped by user, group, IP, etc.?

I guess some examples would help.
Say you get "admin activity from non-corporate IP" or "multiple failed user logins to an app"
You'd have to edit the policy directly rather than create suppression rules for certain conditions.