Whitelist scanner IP address

AdiGrio · ‎Jun 13 2020

We have a regular vulnerability scan against the workstations and it keeps triggering incidents as it trying to login with known, easy to guess, passwords. Is there a way to whitelist connections from a private IP so we don't MDATP alerts during scans?

AdiGrio · ‎Jun 13 2020

I should also mention that this scan triggers an "Internal brute-force attack" incident that doesn't have an IOC attached to it so it is not possible to create a suppression rule. Since this is an internal IP, I cannot add it to the list of custom IOCs either (though not sure how would that help if the incident doesn't include it as an IOC).

The best I can do is to suppress this type of alert completely but that would leave the computers open to real internal brute-force attacks.

menross77 · ‎Jul 20 2020

Have a try of this article
https://techcommunity.microsoft.com/t5/azure-sentinel/implementing-lookups-in-azure-sentinel/ba-p/10...

i was looking for a kind of ActiveList to exclude our scanners too and it works great.

Whitelist scanner IP address

Whitelist scanner IP address

Re: Whitelist scanner IP address

Re: Whitelist scanner IP address

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Whitelist scanner IP address

Whitelist scanner IP address

Re: Whitelist scanner IP address

Re: Whitelist scanner IP address