Defender for Cloud Security alerts.

Question

Defender for Cloud Security alerts.

Vitalii Liashuk 165

Hi,

Can I manage(change) security alerts in DfC? For example, I have security alert "Login from an unusual location" with medium severity. Can I change the severity to low for the future alerts?

Also I received following alert - "Possible incoming SMTP brute force attempts detected". I see only main entities on the alert page but I want see more information. For example raw logs in Log Analytics. Is it possible?

Thank you!

Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator

2023-09-01T09:21:48.55+00:00

@Vitalii Liashuk Thank you for reaching out to us, As I understand you have couple of questions on defender for cloud.

Regarding this 1st query - Can I manage(change) security alerts in DfC/Can I change the severity to low for the future alerts?

Its not possible to change the severity of the alerts, for example - medium to low, for future alerts you can create suppression rules to triage them - Respond to security alerts

Regarding the 2nd query, I am researching on the same and revert back.
Vitalii Liashuk 165 Reputation points

2023-09-01T13:39:49.97+00:00

Ok, I will wait. Thank you!

1 answer

Your answer

Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator

2023-09-01T09:21:48.55+00:00

@Vitalii Liashuk Thank you for reaching out to us, As I understand you have couple of questions on defender for cloud.

Regarding this 1st query - Can I manage(change) security alerts in DfC/Can I change the severity to low for the future alerts?

Its not possible to change the severity of the alerts, for example - medium to low, for future alerts you can create suppression rules to triage them - Respond to security alerts

Regarding the 2nd query, I am researching on the same and revert back.
Vitalii Liashuk 165 Reputation points

2023-09-01T13:39:49.97+00:00

Ok, I will wait. Thank you!

Answer 1

Andrew Blumhardt 10,071 Microsoft Employee

Agreed. You cannot change future incidents (easily) within MDFC. The same can be said for other solutions like MDE and MDI. If you forward these alerts to Sentinel, you can use an Automation Rules or Playbooks to revise an incident. You could also use a workflow automation (logic app) inside of MDFC to change incident severity levels.

If you want to enrich the incident with more information, then you really need to do that in Sentinel. Enriching incidents using automation to add comments is a common automated response in Sentinel.

Vitalii Liashuk 165 Reputation points

2023-09-01T13:39:18.6333333+00:00

About the second question. Yes, I can search some data in Sentinel LA, but to do this I should enable the connector and stream logs to LA, for example SQL. I have already enabled plan in DfC for SQL, so I don`t want to analyze data twice and spend more money on streaming additional logs. DfC has already given me analytics but I want to see raw data. I try to find this answer.
Givary-MSFT 35,786 Reputation points Microsoft Employee Moderator

2023-09-05T10:01:13.6033333+00:00

@Vitalii Liashuk Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Share via

Defender for Cloud Security alerts.

1 answer

Your answer