AATP email notification | choose Critical severity only

%3CLINGO-SUB%20id%3D%22lingo-sub-1704318%22%20slang%3D%22en-US%22%3EAATP%20email%20notification%20%7C%20choose%20Critical%20severity%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1704318%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EIt's%20possible%20to%20receive%20emails%20alertes%20only%20when%20a%20Critical%20suspicious%20activity%20was%20detected%20%3F%3CBR%20%2F%3EThe%20goal%20is%20to%20remediate%20too%20many%20noise...%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%3CBR%20%2F%3EJiBaW%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1705370%22%20slang%3D%22en-US%22%3ERe%3A%20AATP%20email%20notification%20%7C%20choose%20Critical%20severity%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1705370%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F806041%22%20target%3D%22_blank%22%3E%40JIBAW971%3C%2FA%3E%26nbsp%3BNo%2C%20there%20is%20no%20way%20of%20doing%20that.%3C%2FP%3E%0A%3CP%3EAnd%20even%20if%20there%20was%2C%20I%20would%20not%20recommend%20it.%3C%2FP%3E%0A%3CP%3EIt's%20not%20like%20the%20most%20critical%20issues%20are%20the%20only%20one%20putting%20your%20network%20at%20danger.%3C%2FP%3E%0A%3CP%3EAn%20Attacker%20can%20also%20trigger%20only%20medium%20alerts%20for%20example%2C%26nbsp%3B%20and%20still%20cause%20significant%20damage.%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20too%20many%20alerts%2C%20you%20probably%20have%20a%20lot%20of%20false%20positives%2C%20and%20need%20to%20work%20on%20proper%20exclusions.%20it's%20OK%20to%20decide%20to%20start%20with%20the%20critical%20ones%20if%20you%20come%20to%20the%20conclusion%20they%20are%20most%20likely%20true%20positive%2C%20but%20you%20might%20find%20out%20that%20a%20medium%20alert%20is%20more%20urgent%20to%20take%20care%20of%20for%20example%20if%20it%20has%20a%20wider%20effect%20on%20the%20network%20etc...%20eventually%2C%20the%20built%20in%20severity%20is%20just%20an%20entry%20point%2C%20each%20organization%20should%20assess%20the%20risk%20of%20each%20alert%20for%20its%20own%20specific%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor
Hi,
It's possible to receive emails alertes only when a Critical suspicious activity was detected ?
The goal is to remediate too many noise...

Thank you
JiBaW
2 Replies

@JIBAW971 No, there is no way of doing that.

And even if there was, I would not recommend it.

It's not like the most critical issues are the only one putting your network at danger.

An Attacker can also trigger only medium alerts for example,  and still cause significant damage.

If you have too many alerts, you probably have a lot of false positives, and need to work on proper exclusions. it's OK to decide to start with the critical ones if you come to the conclusion they are most likely true positive, but you might find out that a medium alert is more urgent to take care of for example if it has a wider effect on the network etc... eventually, the built in severity is just an entry point, each organization should assess the risk of each alert for its own specific case.

Got it. Many thanks Eli.