Azure Active Directory Identity Identity protection alerts suppression

Occasional Contributor

We have sentinel ingesting incidents from Identity protection Risky users, sign-ins and detections from Azure portal > Azure Active Directory > Security. However, Sentinel is getting inundates with alerts: atypical travel, unfamiliar sign-ins which already have a correlated rule ('Correlate Unfamiliar sign-in properties and atypical travel alerts) which is great. However, I have marked the user in the Identity protect in the Azure portal as 'Confirmed Safe' and 'Dismissed' but still a few hours later still getting the same alerts for the user. Is there something I am missing to mark this user activity as safe so it stops alerting?

 

Thanks

2 Replies

@BcyberS So before like...last week, I could suppress the alerts in Defender so they never made it to Sentinel - however with the new Azure Identity Management that came out just recently - there's no way to suppress atypical travel alerts. As soon as I figure it out, I'll update you. 

@BcyberS You could look at Automation Rules and Logic Apps to auto-close known benign signals or scenarios where the user self remediates the risk event. You could use Automation Rules to auto-close Atypical travel. You can use Logic Apps to review the AAD IP alerts and auto-close scenarios where the user self-remediated the risk through MFA or SSPR.