New! Extending user based exclusions for alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-386787%22%20slang%3D%22en-US%22%3ENew!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-386787%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20asked%2C%20we%20listened!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20an%20effort%20to%20improve%20and%20enhance%20your%20experience%20using%20Azure%20ATP%2C%20you%20can%20now%20set%20alert%20exclusions%20that%20include%20users%2C%20along%20with%20other%20entities%20such%20as%20IP%20addresses%2C%20subnets%20and%20computers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20for%20the%20%E2%80%9C%3CSPAN%3ERemote%20code%20execution%20attempt%3C%2FSPAN%3E%3CSPAN%3E%E2%80%9D%20detection%2C%20you%20can%20set%20an%20exclusion%20that%20is%20based%20on%20%3C%2FSPAN%3E%3CSPAN%3Eeither%3C%2FSPAN%3E%3CSPAN%3E%20a%20list%20of%20machines%20or%20a%3C%2FSPAN%3E%3CSPAN%3En%20administrative%20%3C%2FSPAN%3E%3CSPAN%3Eaccount%20that%20is%20privileged%20to%20perform%20such%20activities.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EUser%20based%20exclusions%20were%20added%20to%20the%20following%20alerts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ESuspected%20DCSync%20attack%20(replication%20of%20directory%20services)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUser%20and%20Group%20membership%20reconnaissance%20(SAMR)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESuspicious%20service%20creation%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EUser%20and%20IP%20Address%20Reconnaissance%20(SMB)%20%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ERemote%20code%20execution%20attempt%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F99135i0A2C7ECE54654338%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22userexclusion.png%22%20title%3D%22userexclusion.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStay%20tuned%26nbsp%3Bfor%20additional%20alerts%20and%20updates.%26nbsp%3B%20As%20always%2C%20your%20feedback%20is%20welcome.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2370522%22%20slang%3D%22en-US%22%3ERe%3A%20New!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2370522%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20proxy%20service%20running%2C%20with%20service%20account%20%3CSTRONG%3Esvc-proxy%3C%2FSTRONG%3E%2C%20on%20server%26nbsp%3B%3CSTRONG%3EDTxxxxxxxx02%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThese%20activities%20generates%20%E2%80%9CUser%20and%20IP%20address%20reconnaissance%20(SMB)%E2%80%9D%20alerts.%3C%2FP%3E%3CP%3EWe%20do%20not%20want%20future%20alerts.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22User_exclusion_before.jpg%22%20style%3D%22width%3A%20943px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282038i57C27915DBCD4421%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22User_exclusion_before.jpg%22%20alt%3D%22User_exclusion_before.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20added%20the%20svc-proxy%20to%20user%20exclusion%20%E2%80%9CUser%20and%20IP%20address%20reconnaissance%20(SMB)%E2%80%9D%3C%2FP%3E%3CP%3EAfter%20we%20closed%20the%20alert%2C%20we%20still%20get%20alerts%20%22%3CFONT%20color%3D%22%23FF0000%22%3EAn%20actor%3C%2FFONT%3E%20on%26nbsp%3BDTxxxxxxxx02%20enumerated%20SMB%20sessions%20on...%22%3CBR%20%2F%3EIn%20the%20evidence%20details%20it%20shows%20An%20actor%20%3D%20svc-proxy%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22User_exclusion_after.jpg%22%20style%3D%22width%3A%20891px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282041i81F015011BB070CD%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22User_exclusion_after.jpg%22%20alt%3D%22User_exclusion_after.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhy%20do%20we%20still%20get%20these%20alerts%20after%20we%20excluded%20the%20user%3F%3CBR%20%2F%3EIt%20seems%20the%20user%20%3CEM%3Eonly%3C%2FEM%3E%26nbsp%3Bbased%20exclusion%20for%20alerts%20is%20not%20working...%3CBR%20%2F%3E%3CBR%20%2F%3ERemark%3A%20if%20we%20exclude%20both%20the%20user%20%22svc-proxy%22%20and%20computer%20%22DTxxxxxxxx02%22%20it%20works%20fine%2C%20no%20more%20alerts.%20But%20we%20don't%20want%20to%20exclude%20the%20computer%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2386323%22%20slang%3D%22en-US%22%3ERe%3A%20New!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2386323%22%20slang%3D%22en-US%22%3EWhen%20looking%20at%20the%20evidence%20timestamps%20(Jan%205)%20%2C%20did%20they%20happen%20after%20you%20excluded%20by%20the%20user%20%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2395618%22%20slang%3D%22en-US%22%3ERe%3A%20New!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2395618%22%20slang%3D%22en-US%22%3EThe%20timestamp%20is%201st%20May.%3CBR%20%2F%3EYes%2C%20they%20happen%20after%20I%20excluded%20the%20user%20and%20closed%20the%20previous%20alert.%3CBR%20%2F%3EThe%20content%20of%20the%20new%20alert%20changed%20from%20%22svc-proxy%20on%22%20to%20%22An%20actor%20on%22.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398838%22%20slang%3D%22en-US%22%3ERe%3A%20New!%20Extending%20user%20based%20exclusions%20for%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1058423%22%20target%3D%22_blank%22%3E%40DanPan%3C%2FA%3E%26nbsp%3BPlease%20open%20a%20support%20case%2C%20export%20the%20alert%20data%20to%20excel%20and%20share%26nbsp%3B%20with%20support.%3CBR%20%2F%3EGenerally%2C%20if%20you%20excluded%20the%20user%20account%20and%20indeed%20it%20was%20the%20same%20user%20that%20did%20this%2C%20we%20should%20not%20have%20reopened%20this%20alert.%3CBR%20%2F%3ENote%20that%20in%20some%20cases%20we%20cannot%20tell%20who%20the%20user%20is%2C%20depending%20on%20exact%20traffic%20type%2C%20so%20in%20this%20case%20if%20the%20machine%20was%20not%20excluded%2C%20we%20will%20still%20fire%20the%20alert%20based%20on%20the%20machine.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

You asked, we listened!

 

In an effort to improve and enhance your experience using Azure ATP, you can now set alert exclusions that include users, along with other entities such as IP addresses, subnets and computers.

 

For example, for the “Remote code execution attempt” detection, you can set an exclusion that is based on either a list of machines or an administrative account that is privileged to perform such activities. 


User based exclusions were added to the following alerts:

  • Suspected DCSync attack (replication of directory services)
  • User and Group membership reconnaissance (SAMR)
  • Suspicious service creation
  • User and IP Address Reconnaissance (SMB)
  • Remote code execution attempt

 

userexclusion.png

Stay tuned for additional alerts and updates.  As always, your feedback is welcome. 

4 Replies

Hi @Tali Ash

 

We have a proxy service running, with service account svc-proxy, on server DTxxxxxxxx02

These activities generates “User and IP address reconnaissance (SMB)” alerts.

We do not want future alerts.

User_exclusion_before.jpg


We added the svc-proxy to user exclusion “User and IP address reconnaissance (SMB)”

After we closed the alert, we still get alerts "An actor on DTxxxxxxxx02 enumerated SMB sessions on..."
In the evidence details it shows An actor = svc-proxy

User_exclusion_after.jpg

Why do we still get these alerts after we excluded the user?
It seems the user only based exclusion for alerts is not working...

Remark: if we exclude both the user "svc-proxy" and computer "DTxxxxxxxx02" it works fine, no more alerts. But we don't want to exclude the computer too.

When looking at the evidence timestamps (Jan 5) , did they happen after you excluded by the user ?
The timestamp is 1st May.
Yes, they happen after I excluded the user and closed the previous alert.
The content of the new alert changed from "svc-proxy on" to "An actor on".

@DanPan Please open a support case, export the alert data to excel and share  with support.
Generally, if you excluded the user account and indeed it was the same user that did this, we should not have reopened this alert.
Note that in some cases we cannot tell who the user is, depending on exact traffic type, so in this case if the machine was not excluded, we will still fire the alert based on the machine.