Jun 05 2022 05:11 PM
Jun 05 2022 05:11 PM
Hi All, We are working to reduce noisy alerts in Sentinel. A couple of use cases:
"Rare RDP Connections"
"Rare subscription-level operations in Azure"
We see these alerts getting generated from the expected/legit tech user accounts. I was planning to use a Watchlist to add all the legit users but is there a possibility to add an extra safety layer in the rule logic e.g.
Lookup users in the watchlist AND if logins succeeded via Conditional Access MFA then do not alert. I am wondering how can we achieve that? as SignIns events and alert timestamp won't match. Thanks
Jun 07 2022 04:07 AM
@gsingh_ When you setup the Watchlist, make sure that it contains a field that you can match on (maybe email address or internal GUID) so that you can then use that field to perform the match in a join command.
However, are you sure that is the correct way to go? I would think, based on the queries for these rules, that these rules find new activity in the last 14 days so they alerts would not show up after that time. Are the alerts being return actually correct, even if they are from valid users? If you modify the query to avoid these users you could be missing valid alerts.
You could see about combining the alerts into a single incident to avoid having all the incidents that would normally be generated (under the Incidents settings tab if you were not aware)
Jun 09 2022 08:13 PM
Hi @Gary Bushey thanks for the response. The use of internal GUID is a great idea, I will check it out.
I am not sure if this is an ideal way of tuning these use cases as we are running most of the rules once a day (With a lookup from the last 1 day). The alerts are picking up the right activity but it's from our legitimate internal tech users.
The reason I was keen to add the MFA login condition is because of the safety reasons, considering if an intruder is able to get access to our internal tech user's account somehow and use the credentials to perform any of these operations, we should definitely get alerted via these rules. I mean if the events indicate Logins from Internal (Tech User + Internal GUID + MFA Succeed) then it's safe to ignore these alerts.
Also, we are already combining these in a single incident. :) Thanks