Using "Exclude specific alerts" in Analytic Rule Wizard not working

psmiriglio 0 Reputation points
2023-07-26T21:03:49.5866667+00:00

Hi team,

We are using Sentinel to centralize all alerts from the different Azure Security solutions.

Because of that, sometimes we are receiving two alerts for the same behaviour and it's causing us alert fatigue.

I tried using the feature "Exclude specific alert" filter to avoid duplicates, using the name of the alert but they keep coming.

This is the filter im using

User's image

This is the summary of the Incident

User's image

Any recommendation would be helpful :)

Kind regards,

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
922 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,461 Reputation points Microsoft Employee
    2023-07-26T21:38:41.8666667+00:00

    Do you have the Microsoft Defender 365 (M365D) connector enabled?

    AAD Identity Protection alerts are sent to M365D automatically.

    There is also an AAD-IP Connector and related Microsoft Security rule. Having both enabled will lead to duplicate alerts.

    I don't believe there is a similar feature to filter the M365D alerts. You might consider using an automation rule to auto-close instead.

    0 comments No comments

  2. psmiriglio 0 Reputation points
    2023-08-02T20:50:44.26+00:00

    Hi Andrew,

    Thank you for the reply.

    In this case, and reviewing back this case. I figured out that I was writting "sing" instead of "sign" and that was causing the issue.

    The problem is solved now.

    Regards,

    0 comments No comments