Azure Active Directory Identity Identity protection alerts suppression

%3CLINGO-SUB%20id%3D%22lingo-sub-3381409%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Identity%20Identity%20protection%20alerts%20suppression%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3381409%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20sentinel%20ingesting%20incidents%20from%20Identity%20protection%20Risky%20users%2C%20sign-ins%20and%20detections%20from%20Azure%20portal%20%26gt%3B%20Azure%20Active%20Directory%20%26gt%3B%20Security.%20However%2C%20Sentinel%20is%20getting%20inundates%20with%20alerts%3A%20atypical%20travel%2C%20unfamiliar%20sign-ins%20which%20already%20have%20a%20correlated%20rule%20('Correlate%20Unfamiliar%20sign-in%20properties%20and%20atypical%20travel%20alerts)%20which%20is%20great.%20However%2C%20I%20have%20marked%20the%20user%20in%20the%20Identity%20protect%20in%20the%20Azure%20portal%20as%20'Confirmed%20Safe'%20and%20'Dismissed'%20but%20still%20a%20few%20hours%20later%20still%20getting%20the%20same%20alerts%20for%20the%20user.%20Is%20there%20something%20I%20am%20missing%20to%20mark%20this%20user%20activity%20as%20safe%20so%20it%20stops%20alerting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3381409%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eazure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

We have sentinel ingesting incidents from Identity protection Risky users, sign-ins and detections from Azure portal > Azure Active Directory > Security. However, Sentinel is getting inundates with alerts: atypical travel, unfamiliar sign-ins which already have a correlated rule ('Correlate Unfamiliar sign-in properties and atypical travel alerts) which is great. However, I have marked the user in the Identity protect in the Azure portal as 'Confirmed Safe' and 'Dismissed' but still a few hours later still getting the same alerts for the user. Is there something I am missing to mark this user activity as safe so it stops alerting?

 

Thanks

0 Replies