cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reduce noisy alerts

gsingh_
Copper Contributor

‎Jun 05 2022 05:11 PM

‎Jun 05 2022 05:11 PM

Reduce noisy alerts

Hi All, We are working to reduce noisy alerts in Sentinel. A couple of use cases:

"Rare RDP Connections"
"Rare subscription-level operations in Azure"

We see these alerts getting generated from the expected/legit tech user accounts. I was planning to use a Watchlist to add all the legit users but is there a possibility to add an extra safety layer in the rule logic e.g.
Lookup users in the watchlist AND if logins succeeded via Conditional Access MFA then do not alert. I am wondering how can we achieve that? as SignIns events and alert timestamp won't match. Thanks

Labels:
2,456 Views
0 Likes
2 Replies
Reply
2 Replies
Gary Bushey

‎Jun 07 2022 04:07 AM

‎Jun 07 2022 04:07 AM

Re: Reduce noisy alerts

@gsingh_ When you setup the Watchlist, make sure that it contains a field that you can match on (maybe email address or internal GUID) so that you can then use that field to perform the match in a join command.

 

However, are you sure that is the correct way to go? I would think, based on the queries for these rules, that these rules find new activity in the last 14 days so they alerts would not show up after that time.  Are the alerts being return actually correct, even if they are from valid users?   If you modify the query to avoid these users you could be missing valid alerts.

 

You could see about combining the alerts into a single incident to avoid having all the incidents that would normally be generated (under the Incidents settings tab if you were not aware)

0 Likes
Reply
gsingh_

‎Jun 09 2022 08:13 PM

‎Jun 09 2022 08:13 PM

Re: Reduce noisy alerts

Hi @Gary Bushey thanks for the response. The use of internal GUID is a great idea, I will check it out. 

I am not sure if this is an ideal way of tuning these use cases as we are running most of the rules once a day (With a lookup from the last 1 day). The alerts are picking up the right activity but it's from our legitimate internal tech users. 

The reason I was keen to add the MFA login condition is because of the safety reasons, considering if an intruder is able to get access to our internal tech user's account somehow and use the credentials to perform any of these operations, we should definitely get alerted via these rules. I mean if the events indicate Logins from Internal (Tech User + Internal GUID + MFA Succeed) then it's safe to ignore these alerts. 

Also, we are already combining these in a single incident. :) Thanks

0 Likes
Reply