Closing incident in True Positive on Sentinel, can restrict user from sending emails??

Question

Hi Team,

We have received an incident on Sentinel for - "Suspicious email sending patterns detected" and it has been closed in True Positive, can closing the incident on Sentinel in True Positive restrict the user from sending the emails and mark him as a compromised??

Thank You

Answer 1

Hello Borade, Abhijeet

Closing an incident in Microsoft Sentinel as a True Positive indicates that suspicious email sending patterns were confirmed. However, closing the incident itself does not automatically restrict the user from sending emails or mark them as compromised.

The user is restricted for sending emails is totally dependent on the Outbound spam policies which you have configured, Admins are automatically notified of suspicious outbound email activity and blocked users via alert policies.

By default outbound spam policy automatically applies to all senders. For greater granularity, you can also create custom outbound spam policies that apply to specific users, groups, or domains in your organization.

The default Alert policies named Email sending limit exceeded, Suspicious email sending patterns detected, and User restricted from sending email already send email notifications to members of the TenantAdmins group (Global Administrator members) group about unusual outbound email activity and blocked users due to outbound spam.

you can check the document for the detailed information: https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-configure?view=o365-worldwide

Additionally if you want to Configure Defender for Identity detection exclusions in Microsoft Defender XDR follow: https://learn.microsoft.com/en-us/defender-for-identity/exclusions

Hope this helps. Let us know if you have any additional queries. Happy to assist you further.