Exclude "Creation of forwarding/redirect rule" incidents from sentinel

Question

Dear Team

We are using sentinel intregation with Microsoft 365 Defender in order to replicate incidents and i would like to exclude some of them like "Creation of forwarding/redirect rule", but we are not able to find the Analytic rule that trigger this alert, usually it appers on the incident full details view.

please advice me if there is any other way to exclude this incidents comming from Microsoft 365 Defender

i´ll appretiate any help

BR

Answer 1

Hi @Miguel Calderón ,

The Creation of forwarding/redirect rule is a Default alert policy from Microsoft 365 Threat Management alert policies. https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide#default-alert-policies

There default alert policy cannot be changed and is enabled by default. However, you could turn off the policy on the Alert policies page. https://learn.microsoft.com/en-us/purview/alert-policies?redirectSourcePath=%252fen-us%252farticle%252falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264#managingalerts

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

Answer 2

You may also be able to supress them in Microsoft Sentinel with an Automation rule (I've not tried this specific one, and only with the new Microsoft 365 Defender connector)