Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

AAD Identity Protection queries

Brass Contributor

Hi,

The "Create incidents based on all alerts generated in Azure Active Directory Identity Protection" rule is generating alot of false-positive incidents in our environment.

 

Is it possible to find and edit the queries used to trigger these alerts, to get rid of the false-positive alerts? Or is it not possible to modify the query triggering the alerts generated by AAD Identity Protection?

 

4 Replies
These alerts are generated in the AAD IP program, so you can go there and see about adjusting the parameters to help alleviate the false positives.
Thank you for answering.
I don't seem to find what I search for though. I hoped to find a customizable query, in the style of the ones used for custom made Scheduled Analytics rules.

Are you refering to the Policies in the AADIP? Or can you give more details about where i can go and adjust parameters?
Thank you in advance.
Have you tried Automation Rules? https://docs.microsoft.com/en-us/azure/sentinel/false-positives this can help to filter certain things and then close them for you etc...

Or you can also "Exclude specific alerts - Only create incidents from alerts that do not contain the following text in the alert name" from the Rule Wizard page.
Thanks i will look into this!