Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Active Directory Identity Identity protection alerts suppression

Brass Contributor

We have sentinel ingesting incidents from Identity protection Risky users, sign-ins and detections from Azure portal > Azure Active Directory > Security. However, Sentinel is getting inundates with alerts: atypical travel, unfamiliar sign-ins which already have a correlated rule ('Correlate Unfamiliar sign-in properties and atypical travel alerts) which is great. However, I have marked the user in the Identity protect in the Azure portal as 'Confirmed Safe' and 'Dismissed' but still a few hours later still getting the same alerts for the user. Is there something I am missing to mark this user activity as safe so it stops alerting?

 

Thanks

3 Replies

@BcyberS So before like...last week, I could suppress the alerts in Defender so they never made it to Sentinel - however with the new Azure Identity Management that came out just recently - there's no way to suppress atypical travel alerts. As soon as I figure it out, I'll update you. 

@BcyberS You could look at Automation Rules and Logic Apps to auto-close known benign signals or scenarios where the user self remediates the risk event. You could use Automation Rules to auto-close Atypical travel. You can use Logic Apps to review the AAD IP alerts and auto-close scenarios where the user self-remediated the risk through MFA or SSPR.
I was wondering if anybody has a solution to this.

I get 40 to 50 high alerts a day for risky signins. All failed attempts using the wrong password. Even when the signin would succeed it would be block due to conditional access rules.

Anybody found a solution to reduces the number of alerts, maybe simply to one with many events? I can't seem to find any configuration option.