Microsoft Defender for Identity - new exclusion settings now in Public Preview

Published Sep 22 2021 09:33 AM 2,697 Views
Microsoft

As part of ongoing efforts to make all experiences and features from Microsoft Defender for Identity available in Microsoft 365 Defender, the product group took the opportunity to not just lift and shift the exclusion configuration page, but to revamp the experience and make some new functionality available for security teams. This announcement confirms that these features are now available in public preview and will be made generally available soon.

 

So first of all, the new home for the exclusion settings can be found in the Settings area of Microsoft 365 Defender, under the Identities section:

 

Exclusions1.png

 

Figure 1 - A screenshot of the Microsoft 365 Defender settings screen, highlighting the Identities section

 

And then you'll see Excluded entities on the left-hand menu:

 

Exclusions2.png

 

 

Figure 2 - A screenshot of the Microsoft Defender for Identity settings area, with the Excluded entities section highlighted

 

Under Excluded entities are two separate options. One for Exclusions by detection rule which you will be familiar with if you've played about with exclusions in Defender for Identity before. Any of the current exclusions you have set up in the Defender for Identity portal will automatically be ported across to this area:

 

Exclusions3.png

 

Figure 3 - An overview of any per-detection exclusions in the excluded entities area

 

You'll also see Global excluded entities, which is a new feature being introduced as part of this rollout. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection.

 

In both of these sections, you'll find a helpful search bar at the top of the screen. This quality of life improvement will help you quickly locate any particular detection that you're looking for. Exclusions4.png

 

Figure 4 - A new search function at the top of each of the exclusion tables

 

Please check out the features for yourself in Microsoft 365 Defender (security.microsoft.com), and as always, we'd love your feedback on these changes. Please leave a comment here, and we'll strive to get back to you as quickly as possible. 

 

2 Comments
Occasional Contributor
Hmm... I think we're still needing a more granular exclude rule set, where we can exclude a particular user account doing something to or on particular devices for particular rules. I.e., Ignore any alerts raised for svc_vulnerabilityscanner running on Server001 for the Remote code execution attempt rule but raise an alert if svc_vulnerabilityscanner attempts a Remote code execution on Server002. Globally excluding across all rules might mean we miss something?
New Contributor

I've noticed our logs are full of MDI sensor errors when they attempt to connect to domains with which we have a domain trust. I assume excluding them here won't change this sensor behavior but will just exclude them from detections?

%3CLINGO-SUB%20id%3D%22lingo-sub-2752111%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20for%20Identity%20-%20new%20exclusion%20settings%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2752111%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20part%20of%20ongoing%20efforts%20to%20make%20all%20experiences%20and%20features%20from%20Microsoft%20Defender%20for%20Identity%20available%20in%20Microsoft%20365%20Defender%2C%20the%20product%20group%20took%20the%20opportunity%20to%20not%20just%20lift%20and%20shift%20the%20exclusion%20configuration%20page%2C%20but%20to%20revamp%20the%20experience%20and%20make%20some%20new%20functionality%20available%20for%20security%20teams.%20This%20announcement%20confirms%20that%20these%20features%20are%20now%20available%20in%20public%20preview%20and%20will%20be%20made%20generally%20available%20soon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20first%20of%20all%2C%20the%20new%20home%20for%20the%20exclusion%20settings%20can%20be%20found%20in%20the%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20area%20of%20Microsoft%20365%20Defender%2C%20under%20the%26nbsp%3B%3CSTRONG%3EIdentities%3C%2FSTRONG%3E%20section%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Exclusions1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311061i89142D4C3048B229%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exclusions1.png%22%20alt%3D%22Exclusions1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20class%3D%22lia-align-center%22%20id%3D%22toc-hId-1049619539%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%20id%3D%22toc-hId-1051555061%22%3EFigure%201%20-%20A%20screenshot%20of%20the%20Microsoft%20365%20Defender%20settings%20screen%2C%20highlighting%20the%20Identities%20section%3C%2FH6%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20then%20you'll%20see%26nbsp%3B%3CSTRONG%3EExcluded%20entities%26nbsp%3B%3C%2FSTRONG%3Eon%20the%20left-hand%20menu%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Exclusions2.png%22%20style%3D%22width%3A%20783px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311064i4D33B49C763F5B21%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exclusions2.png%22%20alt%3D%22Exclusions2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20class%3D%22lia-align-center%22%20id%3D%22toc-hId--757834924%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%20id%3D%22toc-hId--755899402%22%3EFigure%202%20-%20A%20screenshot%20of%20the%20Microsoft%20Defender%20for%20Identity%20settings%20area%2C%20with%20the%20Excluded%20entities%20section%20highlighted%3C%2FH6%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%26nbsp%3B%3CSTRONG%3EExcluded%20entities%26nbsp%3B%3C%2FSTRONG%3Eare%20two%20separate%20options.%20One%20for%26nbsp%3B%3CSTRONG%3EExclusions%20by%20detection%20rule%3C%2FSTRONG%3E%20which%20you%20will%20be%20familiar%20with%20if%20you've%20played%20about%20with%20exclusions%20in%20Defender%20for%20Identity%20before.%20Any%20of%20the%20current%20exclusions%20you%20have%20set%20up%20in%20the%20Defender%20for%20Identity%20portal%20will%20automatically%20be%20ported%20across%20to%20this%20area%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Exclusions3.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311078i26B640327EA5C5EC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exclusions3.png%22%20alt%3D%22Exclusions3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20class%3D%22lia-align-center%22%20id%3D%22toc-hId-1729677909%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%20id%3D%22toc-hId-1731613431%22%3EFigure%203%20-%20An%20overview%20of%20any%20per-detection%20exclusions%20in%20the%20excluded%20entities%20area%3C%2FH6%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou'll%20also%20see%20%3CSTRONG%3EGlobal%20excluded%20entities%3C%2FSTRONG%3E%2C%20which%20is%20a%20new%20feature%20being%20introduced%20as%20part%20of%20this%20rollout.%20Global%20exclusions%20allow%20you%20to%20define%20certain%20entities%20(IP%20addresses%2C%20subnets%2C%20devices%2C%20or%20domains)%20to%20be%20excluded%20across%20all%20of%20the%20detections%20Defender%20for%20Identity%20has.%20So%20for%20example%2C%20if%20you%20exclude%20a%20device%2C%20it%20will%20only%20apply%20to%20those%20detections%20that%20have%20device%20identification%20as%20part%20of%20the%20detection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20both%20of%20these%20sections%2C%20you'll%20find%20a%20helpful%20search%20bar%20at%20the%20top%20of%20the%20screen.%20This%20quality%20of%20life%20improvement%20will%20help%20you%20quickly%20locate%20any%20particular%20detection%20that%20you're%20looking%20for.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Exclusions4.png%22%20style%3D%22width%3A%20642px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311087i994348E51132CED2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exclusions4.png%22%20alt%3D%22Exclusions4.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CH6%20class%3D%22lia-align-center%22%20id%3D%22toc-hId--77776554%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%20id%3D%22toc-hId--75841032%22%3EFigure%204%20-%20A%20new%20search%20function%20at%20the%20top%20of%20each%20of%20the%20exclusion%20tables%3C%2FH6%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20check%20out%20the%20features%20for%20yourself%20in%20Microsoft%20365%20Defender%20(security.microsoft.com)%2C%20and%20as%20always%2C%20we'd%20love%20your%20feedback%20on%20these%20changes.%20Please%20leave%20a%20comment%20here%2C%20and%20we'll%20strive%20to%20get%20back%20to%20you%20as%20quickly%20as%20possible.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2752111%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20part%20of%20ongoing%20efforts%20to%20make%20all%20experiences%20and%20features%20from%20Microsoft%20Defender%20for%20Identity%20available%20in%20Microsoft%20365%20Defender%2C%20the%20product%20group%20took%20the%20opportunity%20to%20not%20just%20lift%20and%20shift%20the%20exclusion%20configuration%20page%2C%20but%20to%20revamp%20the%20experience%20and%20make%20some%20new%20functionality%20available%20for%20security%20teams.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Exclusions1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311061i89142D4C3048B229%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Exclusions1.png%22%20alt%3D%22Exclusions1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2752111%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Identity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2780367%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20-%20new%20exclusion%20settings%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2780367%22%20slang%3D%22en-US%22%3EHmm...%20I%20think%20we're%20still%20needing%20a%20more%20granular%20exclude%20rule%20set%2C%20where%20we%20can%20exclude%20a%20particular%20user%20account%20doing%20something%20to%20or%20on%20particular%20devices%20for%20particular%20rules.%20I.e.%2C%20Ignore%20any%20alerts%20raised%20for%20svc_vulnerabilityscanner%20running%20on%20Server001%20for%20the%20Remote%20code%20execution%20attempt%20rule%20but%20raise%20an%20alert%20if%20svc_vulnerabilityscanner%20attempts%20a%20Remote%20code%20execution%20on%20Server002.%20Globally%20excluding%20across%20all%20rules%20might%20mean%20we%20miss%20something%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2847859%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Identity%20-%20new%20exclusion%20settings%20now%20in%20Public%20Preview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2847859%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20noticed%20our%20logs%20are%20full%20of%20MDI%20sensor%20errors%20when%20they%20attempt%20to%20connect%20to%20domains%20with%20which%20we%20have%20a%20domain%20trust.%20I%20assume%20excluding%20them%20here%20won't%20change%20this%20sensor%20behavior%20but%20will%20just%20exclude%20them%20from%20detections%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Sep 22 2021 09:33 AM
Updated by: