User Profile
WhitMc
Copper Contributor
Joined Dec 20, 2022
User Widgets
Recent Discussions
Re: Edit anomaly detection policy by excluding certain endpoints
Update and for reference in case someone searches for this in the future - I found documentation about including or excluding specific users or groups here: https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policyEdit anomaly detection policy by excluding certain endpoints
Does anyone have insight or know of documentation (I have hunted through these discussions and the Microsoft documentation) related to 'Edit anomaly detection policy' to exclude a specific set of devices for a built-in detection policy? Currently, under Edit anomaly detection policy, I can select Scope > Specific users and groups ... where I'm able to create a filter for specified devices. There is an Include and Exclude checkbox and I'm not sure whether these will contradict when trying to exclude a group of devices. Additionally, if there are other more efficient ways to do this rather than creating an Exclude filter within each anomaly detection policy, I'd love to know about it.Re: Are these questionable activities?
My reply is a few days late, but what you are seeing seems pretty typical to VPN connections on personal devices, likely mobile phones. You should be able to correlate that activity to a mobile device. Or, like richrico suggested, ask the users if they us the mobile Outlook app on their phones as well as a personal VPN. I will bet you the answer is yes!
