SOLVED

Microsoft Sentinel Potentially malicious events - Flagging as Safe/Informational?

Occasional Contributor

Is there a way to change the status of a potentially malicious event as safe so it no longer shows up on the map? 

 

NoobieInfoSec_0-1661794218720.png

 

Also, is there a way to create some logic in Sentinel to say if any activity comes from a specific IP Address (like the one showing up in the potentially malicious event) to NOT show up on the map and instead just give an informational alert that it happened?  I started to try and create a rule to do this (see below) but not sure if I'm going about it the correct way.

 

NoobieInfoSec_1-1661794543004.png

 

 

 

 

 

3 Replies
best response confirmed by rodtrent (Microsoft)
Solution
Several tables are enriched in the background using Microsoft's threat intelligence. This feature is not well documented. Most notably the CommonSecurityLog table. The number of supported tables is frustratingly limited. There is no option to customize.

You can drill down on the map to see the KQL. You could use this to create a custom map in a workbook and even custom alerts. From there you could add exclusions and additions.
Thanks. I think I have found an OK solution to creating an alert when this specific event happens.

I just want to clarify though that there is no way to remove this potentially malicious event from showing up on the map like it does though, right? Even if we flag this IP Address or Coordinates as safe?
Correct. The dashboard reflects a union of the supported tables where malicious IPs are noted. Such a filter would need to be applied on the dashboard. It is an interesting visualization but no controls or alerts are included.