New! Extending user based exclusions for alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-386787%22%20slang%3D%22en-US%22%3ENew!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386787%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20asked%2C%20we%20listened!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20an%20effort%20to%20improve%20and%20enhance%20your%20experience%20using%20Azure%20ATP%2C%20you%20can%20now%20set%20alert%20exclusions%20that%20include%20users%2C%20along%20with%20other%20entities%20such%20as%20IP%20addresses%2C%20subnets%20and%20computers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20for%20the%20%E2%80%9C%3CSPAN%3ERemote%20code%20execution%20attempt%3C%2FSPAN%3E%3CSPAN%3E%E2%80%9D%20detection%2C%20you%20can%20set%20an%20exclusion%20that%20is%20based%20on%20%3C%2FSPAN%3E%3CSPAN%3Eeither%3C%2FSPAN%3E%3CSPAN%3E%20a%20list%20of%20machines%20or%20a%3C%2FSPAN%3E%3CSPAN%3En%20administrative%20%3C%2FSPAN%3E%3CSPAN%3Eaccount%20that%20is%20privileged%20to%20perform%20such%20activities.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EUser%20based%20exclusions%20were%20added%20to%20the%20following%20alerts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ESuspected%20DCSync%20attack%20(replication%20of%20directory%20services)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUser%20and%20Group%20membership%20reconnaissance%20(SAMR)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESuspicious%20service%20creation%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUser%20and%20IP%20Address%20Reconnaissance%20(SMB)%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERemote%20code%20execution%20attempt%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F99135i0A2C7ECE54654338%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22userexclusion.png%22%20title%3D%22userexclusion.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStay%20tuned%26nbsp%3Bfor%20additional%20alerts%20and%20updates.%26nbsp%3B%20As%20always%2C%20your%20feedback%20is%20welcome.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

You asked, we listened!

 

In an effort to improve and enhance your experience using Azure ATP, you can now set alert exclusions that include users, along with other entities such as IP addresses, subnets and computers.

 

For example, for the “Remote code execution attempt” detection, you can set an exclusion that is based on either a list of machines or an administrative account that is privileged to perform such activities. 


User based exclusions were added to the following alerts:

  • Suspected DCSync attack (replication of directory services)
  • User and Group membership reconnaissance (SAMR)
  • Suspicious service creation
  • User and IP Address Reconnaissance (SMB)
  • Remote code execution attempt

 

userexclusion.png

Stay tuned for additional alerts and updates.  As always, your feedback is welcome. 

0 Replies