In an effort to improve and enhance your experience using Azure ATP, you can now set alert exclusions that include users, along with other entities such as IP addresses, subnets and computers.
For example, for the “Remote code execution attempt” detection, you can set an exclusion that is based on either a list of machines or an administrative account that is privileged to perform such activities.
User based exclusions were added to the following alerts:
Suspected DCSync attack (replication of directory services)
User and Group membership reconnaissance (SAMR)
Suspicious service creation
User and IP Address Reconnaissance (SMB)
Remote code execution attempt
Stay tuned for additional alerts and updates. As always, your feedback is welcome.